However, this change goes far beyond bug bounty programs, as the OWASP expert explains: “This development undermines the idea that security can remain a subsequent ‘find and fix’ measure. The era of the security backlog is therefore coming to a well-deserved end.”
Traditional vulnerability management is based on prioritization: problems are categorized according to severity, exploitability and potential business impact and then successively resolved. According to Williams, however, the limiting factor is no longer how well companies prioritize: “Claude Mythos makes one thing painfully clear: prioritization is not the problem, but rather how weak points are managed – i.e. the time window of exposure.”
That’s why he strongly advises companies to evolve both their tools and their assumptions about how quickly security-related conditions can change.
At the same time, the question remains as to how quickly the new AI capabilities will spread. Finally, in the wrong hands, Claude Mythos could also be used to exploit vulnerabilities more quickly. OWASP expert Williams has little doubt that this will happen: “It is highly questionable whether Anthropic will be able to put a stop to the harmful use of Claude Mythos.”
Anthropic is providing model credits totaling $100 million for “Project Glasswing.” However, the AI provider expects additional investments from the participating organizations as part of the research preview.
Criticism and Anthropic
After the presentation of “Project Glasswing,” there was criticism of Anthropic’s approach to almost exclusively granting large US tech companies access to Claude Mythos’s preview. As a report by Politico suggests, European regulatory authorities in particular have been left out so far: Of eight EU regulatory authorities that Politico has contacted, only the German BSI is apparently in contact with Anthropic about access to the new AI model.
