A Boy That Cried Mythos: Verification Is Collapsing Trust in Anthropic
6 hours ago
- #AI security hype
- #vulnerability disclosure
- #regulatory capture
- The system card for Claude Mythos Preview is 244 pages but only 7 pages address cybersecurity risks, lacking critical security terminology like 'fuzzer', CVSS, CWE, or CVE.
- The key demonstration involves exploiting two already-patched Firefox bugs in a stripped-down test environment, with a 72.4% exploit success rate dropping to 4.4% when those bugs are removed, showing limited novel capability.
- Independent testing by AISLE found that small open-weights models could reproduce Anthropic's showcased vulnerabilities for minimal cost, challenging claims of exclusive frontier capability.
- Anthropic's claims rely on a circular citation among its own documents, with no external partner confirmation of specific vulnerabilities, and the $100 million Glasswing initiative includes mostly API credits rather than direct funding.
- The cyber ranges evaluation reveals that Mythos only succeeds against weak, undefended systems and fails against properly configured, patched targets or operational technology environments.
- Critical security evaluation elements are missing from the system card, such as CVSS distributions, CVE lists, false-positive rates, and comparisons to existing tools like fuzzers.
- The Glasswing consortium creates a private gatekeeping structure for vulnerability disclosure, favoring large incumbents and lacking democratic oversight, raising concerns about regulatory capture.
- The rapid institutional and policy response to Mythos, despite weak evidence, mirrors historical FUD (fear, uncertainty, doubt) cycles where hype drives lasting policy or market changes.