Anthropic loosens the lid on Mythos
Mythos was built behind closed doors. Now everyone’s on notice.
• 3 min read
TL;DR: Anthropic is walking back the secrecy around Project Glasswing and letting partners share cybersecurity findings with other security teams, regulators, and the public, the WSJ reported yesterday. With 90-day disclosure clocks now running on cyber threats, and with rivals and government agencies watching, Anthropic is under pressure to balance safety with transparency.
What happened: Last week, in a revision of its confidentiality policy, Anthropic started letting those in its Glasswing program—which include around 50 companies in tech and finance as well as the Pentagon—share findings and best practices with security teams at other companies and the public, per WSJ.
The confidentiality agreements were requested by partners initially, but “as the program has matured, we’ve adapted them to ensure key information can be shared broadly […] for maximum defensive impact,” an Anthropic spokeswoman told WSJ.
90-day clock: The shift will follow standard responsible-disclosure norms that could signal a wave of vulnerability disclosures, as researchers and organizations typically give an affected party 90 days to fix a flaw before going public with it.
But the stakes are higher this time as Mythos is operating at a scale and speed that outpaces regular human security teams, which means that the 90-day clock is going to start ticking a lot more often. And organizations could soon face tight deadlines to patch vulnerabilities before Mythos’s risk findings hit the open market. (Google and Microsoft had beef in 2015 over a rigid 90-day policy that resulted in Google disclosing a vulnerability before Microsoft could patch it; Microsoft then accused the company of wanting a “gotcha” moment.)
Tech news that makes sense of your fast-moving world.
Tech Brew breaks down the biggest tech news, emerging innovations, workplace tools, and cultural trends so you can understand what's new and why it matters.
By subscribing, you accept our Terms & Privacy Policy.
Boiling point: Anthropic is facing mounting pressure from all sides. Rivals like OpenAI and startup Mistral AI are shopping their Mythos counterparts to major organizations who have Mythos FOMO (such as European banks).
The secrecy around Mythos’s capabilities is drawing concern from regulators. “No entity should be contractually restricted from warning others, coordinating mitigations, or informing relevant and trusted stakeholders about urgent cyber risks,” Rep. Josh Gottheimer (D-NJ) wrote in a Monday letter viewed by WSJ. Anthropic is also set to brief the UK’s Financial Stability Board on the vulnerabilities Mythos has identified in the global financial system, the Financial Times reported. Plus, Mythos will likely be subject to strict obligations when the EU AI Act’s rules come into effect in August.
Bottom line: With rivals circling and regulators demanding answers, opening up Glasswing was inevitable. The conundrum for organizations now is whether they can patch vulnerabilities faster than the new wave of countdowns. —LC
Also at Anthropic…
- Arguments in its lawsuit over the Pentagon’s blacklisting began today.
- Demis Hassabis of Google DeepMind fame was an early investor, the FT reported.
- F4F? The pope is planning his first guidance on AI, which will feature an appearance from Anthropic co-founder Christopher Olah.
Tech news that makes sense of your fast-moving world.
Tech Brew breaks down the biggest tech news, emerging innovations, workplace tools, and cultural trends so you can understand what's new and why it matters.
By subscribing, you accept our Terms & Privacy Policy.