{"id":17168,"date":"2026-05-12T08:08:05","date_gmt":"2026-05-12T15:08:05","guid":{"rendered":"https:\/\/jasonsblog.ddns.net\/?p=17168"},"modified":"2026-05-12T08:08:05","modified_gmt":"2026-05-12T15:08:05","slug":"anthropics-bug-hunting-mythos-was-greatest-marketing-stunt-ever-says-curl-creator","status":"publish","type":"post","link":"https:\/\/jasonsblog.ddns.net\/index.php\/2026\/05\/12\/anthropics-bug-hunting-mythos-was-greatest-marketing-stunt-ever-says-curl-creator\/","title":{"rendered":"Anthropic\u2019s Bug-hunting Mythos Was Greatest Marketing Stunt Ever,\u00a0Says Curl Creator"},"content":{"rendered":"\n

It seems the great AI exploit finder they couldn’t allow to be released to the public was mostly hype, and marketing for the coming IPO. A key takeaway is that these AI bots are limited by their programmers to what types of vulnerabilities already exist, and it’s not doing any new reasoning to find new types of vulnerabilities. Like most of AI, it just regurgitates knowledge fed into it without any real intelligence, and why they are so prone to error, or “hallucinations”. Though I do think there will be a superintelligent AI, but probably faked by fallen angels in the Tribulation, the image of the beast<\/a> given breath, the abomination that causes desolation.<\/p>\n\n\n\n

https:\/\/www.theregister.com\/security\/2026\/05\/11\/anthropics-bug-hunting-mythos-was-greatest-marketing-stunt-ever-says-curl-creator\/5238111<\/a><\/p>\n\n\n

<\/div><\/div><\/div>\n\n\n
After all that hype, AI scanner found one low-severity\u00a0cURL flaw<\/h5>\n\n\n\n

By Brandon Vigliarolo<\/p>\n\n\n\n

cURL developer Daniel Stenberg has seen Anthropic\u2019s Mythos, a model the AI biz has suggested is too capable at finding security holes to release publicly, scan his popular open source project. But after the system turned up just a single vulnerability, he concluded the hype around Mythos was \u201cprimarily marketing\u201d rather than a major AI security breakthrough.<\/p>\n\n\n\n

Stenberg explained<\/a> in a Monday blog post that he was promised access to Anthropic\u2019s Mythos model – sort of – through the AI biz\u2019s Project Glasswing program. Part of Glasswing involves giving high-profile open source projects access via the Linux Foundation, but while Stenberg signed up to try Mythos, he said he never actually received direct access to the model. Instead, someone else with access ran Mythos against curl\u2019s codebase and later sent him a report.<\/p>\n\n\n\n

\u201cIt\u2019s not that I would have a lot of time to explore lots of different prompts and doing deep dive adventures anyway,\u201d Stenberg explained. \u201cGetting the tool to generate a first proper scan and analysis would be great, whoever did it.\u201d<\/p>\n\n\n\n

That scan, which analyzed curl\u2019s git repository at a recent master-branch commit, was sent back to him earlier this month, and it found just five things that it claimed were \u201cconfirmed security vulnerabilities\u201d in cURL. Saying he had expected an extensive list of vulnerabilities, Stenberg wrote that the report \u201cfelt like nothing,\u201d and that feeling was further validated by a review of Mythos\u2019 findings. <\/p>\n\n\n\n

\u201cOnce my curl security team fellows and I had poked on this short list for a number of hours and dug into the details, we had trimmed the list down and were left with one confirmed vulnerability,\u201d Stenberg said, bringing us back to the aforementioned number. <\/p>\n\n\n\n

As for the other four, three turned out to be false positives that pointed out cURL shortcomings already noted in API documentation, while the team deemed the fourth to be just a simple bug. <\/p>\n\n\n\n

\u201cThe single confirmed vulnerability is going to end up a severity low CVE planned to get published in sync with our pending next curl release 8.21.0 in late June,\u201d the cURL meister noted. \u201cThe flaw is not going to make anyone grasp for breath.\u201d<\/p>\n\n\n\n

That said, Mythos did find several other non-security bugs that Stenberg said the team is working on fixing, and he notes that their description and explanation were well done. Mythos can do good work, in other words, but it\u2019s not a ground-breaking, game-changing AI model<\/a> like Anthropic has claimed.<\/p>\n\n\n\n

\u201cMy personal conclusion can however not end up with anything else than that the big hype around this model so far was primarily marketing,\u201d Stenberg said in the blog post. \u201cI see no evidence that this setup finds issues to any particular higher or more advanced degree than the other tools have done before Mythos.\u201d<\/p>\n\n\n\n

cURL code is no stranger to AI<\/h3>\n\n\n\n

To say cURL has become widely used in its nearly three decades of existence would be an understatement. Its wide reach has meant that its team has been running it through all sorts of static code analyzers and fuzz testing it since well before the dawn of the AI age. With AI\u2019s rise, the cURL team has adapted, meaning Mythos is hardly the first AI to get its fingers on cURL\u2019s codebase. <\/p>\n\n\n\n

\u201cThese tools and the analyses they have done have triggered somewhere between two and three hundred bugfixes merged in curl through-out the recent 8-10 months or so,\u201d Stenberg said of tools like AISLE, Zeropath, and OpenAI Codex Security that\u2019ve tested cURL code. \u201cA bunch of the findings these AI tools reported were confirmed vulnerabilities and have been published as CVEs. Probably a dozen or more.\u201d<\/p>\n\n\n\n

Stenberg\u2019s experience with AI testing cURL, in other words, makes it a great candidate to see how effective Mythos can really be at finding more than the average AI. <\/p>\n\n\n\n

As Stenberg noted elsewhere in his blog post, Mythos isn\u2019t doing anything particularly novel when it comes to security discoveries: It might be a bit better at finding things than previous models, but \u201cit is not better to a degree that seems to make a significant dent in code analyzing,\u201d the cURL author noted. <\/p>\n\n\n\n

Stenberg isn\u2019t an AI doomer when it comes to its ability to improve software design, though. Yes, he may have closed the cURL bug bounty<\/a> earlier this year due to an influx of sloppy, useless bug reports, but he also noted a few months prior to the bounty closure that some security researchers assisted by AI have made valuable reports<\/a>. <\/p>\n\n\n\n

\u201cAI powered code analyzers are significantly better at finding security flaws and mistakes in source code than any traditional code analyzers did in the past,\u201d Stenberg said, adding an important qualifier for the Mythos moment: \u201cAll modern AI models are good at this now.\u201d<\/p>\n\n\n\n

Mythos isn\u2019t any more creative than its creators<\/h3>\n\n\n\n

Both older AI models and security-focused tools like Mythos have a common limitation, as far as Stenberg is concerned: They\u2019re only as good at finding security vulnerabilities as the humans who programmed them. <\/p>\n\n\n\n

\u201cAI tools find the usual and established kind of errors we already know about. It just finds new instances of them,\u201d Stenberg said. \u201cWe have not seen any AI so far report a vulnerability that would somehow be of a novel kind or something totally new.\u201d<\/p>\n\n\n\n

As for Mythos, Stenberg remains unimpressed, calling it “an amazingly successful marketing stunt for sure” in his blog post.<\/p>\n\n\n\n

In an email to The Register, Stenberg admitted that it\u2019d be possible for AI models to actually discover new, novel types of vulnerabilities, but he\u2019s still not convinced that they can go beyond what humans are capable of finding, given that they\u2019re limited by our understanding of how software vulnerabilities work. <\/p>\n\n\n\n

At the end of the day, Stenberg explained, when we talk about security, we\u2019re only talking about code. \u201cSource code is text and it feels like maybe we already know about most ways we can do security problems in it,\u201d he pondered in his email. <\/p>\n\n\n\n

In other words, like the valuable AI-assisted reports made to the cURL bug bounty program before its closure due to a flood of AI garbage, making valuable use of systems like Mythos is going to require humans to get creative. Sorry, no foisting your critical thinking onto a bot. <\/p>\n\n\n\n

\u201cHuman researchers have always used tools when they look for security problems,\u201d Stenberg told us. \u201cAdding AIs to the mix gives the humans even more powerful tools to use, more ways to find problems. I expect that many security bugs going forward will be found by humans coming up with new ways and angles of prompting the AIs.\u201d<\/p>\n\n\n\n

Stenberg said that he hopes he\u2019ll actually get his hands on Mythos so he can experiment with its capabilities, but he doesn\u2019t seem to be holding out hope the promised access will materialize.<\/p>\n\n\n\n

\u201cI have been promised access and for all I know I will eventually get it,\u201d Stenberg told us. \u201cI just don’t know when.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"

It seems the great AI exploit finder they couldn’t allow to be released to the public was mostly hype, and marketing for the coming IPO. A key takeaway is that these AI bots are limited by their programmers to what types of vulnerabilities already exist, and it’s not doing any new reasoning to find new […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-17168","post","type-post","status-publish","format-standard","hentry","category-tech"],"blocksy_meta":[],"featured_image_src":null,"author_info":{"display_name":"Jason","author_link":"https:\/\/jasonsblog.ddns.net\/index.php\/author\/jturning\/"},"_links":{"self":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/17168","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/comments?post=17168"}],"version-history":[{"count":1,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/17168\/revisions"}],"predecessor-version":[{"id":17169,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/17168\/revisions\/17169"}],"wp:attachment":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/media?parent=17168"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/categories?post=17168"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/tags?post=17168"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}