News: 0183186532

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Anthropic's Bug-Hunting Mythos Was Greatest Marketing Stunt Ever, Says cURL Creator

(Monday May 11, 2026 @05:00PM (BeauHD) from the not-particularly-dangerous dept.)


cURL creator Daniel Stenberg says Anthropic's hyped [1]Mythos bug-hunting model found only one confirmed low-severity vulnerability in cURL, plus a few non-security bugs, after he expected a much longer list. He argues Mythos may be useful, but not meaningfully beyond other modern AI code-analysis tools. "My personal conclusion can however not end up with anything else than that [2]the big hype around this model so far was primarily marketing ," Stenberg said a blog post. "I see no evidence that this setup finds issues to any particular higher or more advanced degree than the other tools have done before Mythos." He went on to call Mythos "an amazingly successful marketing stunt for sure." The Register reports:

> Stenberg [3]explained in a Monday blog post that he was promised access to Anthropic's Mythos model - sort of - through the AI biz's Project Glasswing program. Part of Glasswing involves giving high-profile open source projects access via the Linux Foundation, but while Stenberg signed up to try Mythos, he said he never actually received direct access to the model. Instead, someone else with access ran Mythos against curl's codebase and later sent him a report. "It's not that I would have a lot of time to explore lots of different prompts and doing deep dive adventures anyway," Stenberg explained. "Getting the tool to generate a first proper scan and analysis would be great, whoever did it."

>

> That scan, which analyzed curl's git repository at a recent master-branch commit, was sent back to him earlier this month, and it found just five things that it claimed were "confirmed security vulnerabilities" in cURL. Saying he had expected an extensive list of vulnerabilities, Stenberg wrote that the report "felt like nothing," and that feeling was further validated by a review of Mythos' findings. "Once my curl security team fellows and I had poked on this short list for a number of hours and dug into the details, we had trimmed the list down and were left with one confirmed vulnerability," Stenberg said, bringing us back to the aforementioned number.

>

> As for the other four, three turned out to be false positives that pointed out cURL shortcomings already noted in API documentation, while the team deemed the fourth to be just a simple bug. "The single confirmed vulnerability is going to end up a severity low CVE planned to get published in sync with our pending next curl release 8.21.0 in late June," the cURL meister noted. "The flaw is not going to make anyone grasp for breath."



[1] https://it.slashdot.org/story/26/04/07/2115208/anthropic-unveils-claude-mythos-powerful-ai-with-major-cyber-implications

[2] https://www.theregister.com/security/2026/05/11/anthropics-bug-hunting-mythos-was-greatest-marketing-stunt-ever-says-curl-creator/5238111

[3] https://daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-vulnerability/


Actually, congrats to the cURL team (Score:2)

by CommunityMember ( 6662188 )

cURL is apparently well written with minimal security vulnerabilities. I am not sure all other software can make that claim (and if the reports are accurate, Firefox had it's share of vulnerabilities identified by the tool).

Re: Actually, congrats to the cURL team (Score:2)

by Tomahawk ( 1343 )

My thoughts exactly. Maybe the codebase is just too good for a demonstration of Mythos.

Re: Actually, congrats to the cURL team (Score:3)

by reanjr ( 588767 )

They actually said other tools are regularly used and have been known to find hundreds of issues. So, no, their awesome code is not the reason. Mythos just sucks at finding vulnerabilities.

Re: (Score:2)

by Himmy32 ( 650060 )

Literally 30 years of polish by one of the most used projects of all time directed person who works in the security industry and the codebase is under a couple hundred thousand lines.

Might not hold the same opinion as Mozilla that it'll solve all bugs, but any code scanning tool that finds a legit bug is doing at least something right.

umm (Score:2)

by nomadic ( 141991 )

I mean maybe he's right, but I would always take with a grain of salt a software package creator's opinion on how awesome his software package is.

Re: (Score:3)

by Junta ( 36770 )

Actually, if anything he's saying his software package is so crappy that it *should* have found issues. He considers it's failure to find issues not a testament to how awesome his software package is but how lacking the tool is.

I've seen a few times where the curl developer has stood up to some asinine thing that most projects just roll with and I've appreciated his perspective each time.

His finding is consistent with another analysis I saw: Mythos was not good at finding issues at all. The one thing they

It's just lies on top of a tiny bit of actual data (Score:1)

by MIPSPro ( 10156657 )

I'd assert 100% that he's right. Claim: Mythos found thousands of severe bugs. Evidence: Anthropic filed around a dozen checksums for "future bugs" they claim are bad but there is zero evidence. They produced exactly three actual OS bugs with exploits only one of which was an RCE. Mozilla claims to have found a couple of hundred bugs in Firefox, but with no read on how severe or security related they were/are and I'd remind folks that's not an operating system.

Question: Where in the actual fuck is anythi

It's literally named... (Score:3)

by SumDog ( 466607 )

When they first splurged this bullshit, I immediately though, "It's named 'Mythos'? Really?" Literally "Mythical"

I've read some post that show GPT-5 could find some of the same vulnerabilities if pointed to the same code, and the Mythos version that found some of these issues spent $2k or more worth of tokens on them.

I recently broke out Opus and Sonnet again on my personal projects (try to restrict LLMs to work where I don't care so much) and I found myself rewriting over a 1/3 of the output, even after trying to get the agent to fix issues. It's really a big quantity over quality issue still, with the latest and greatest models. Sure they can build things fast if you need unpredictable spaghetti code shit. Maybe great for one time migration scripts.

One of my managers showed me some MCP servers he setup and how he got Claude to connect to Grafana, examine his Pods, create a full dashboard and even automate alerts. It was kinda cool, but I was like "You used your read-only API keys for AWS/Grafana/etc, right?" ... He used full access, said you had to.

I worry about this level of dependence. I also have a feeling if I dug into those graphs, half of them would have bad queries or not be gathering the information they claim.

Re: (Score:2)

by Ksevio ( 865461 )

That's sort of their naming convention for the model sizes: Haiku Sonnet Opus Mythos

Glad someone else is saying that (Score:3)

by Somervillain ( 4719341 )

I have been saying it to anyone who will listen: Mythos won't end cybersecurity. It's not a tool too powerful to get into anyone's hands. it's an incremental upgrade to existing models. I am sure it's nice...it just won't change the world or set it on fire. I also have an insider connection that confirmed...it's no revolution, just a marketing stunt. I thought Anthropic was above the Sam-Altman-grade bullshit, but I was wrong. It's inspired many emotions, but that was based on our imagination, not reality.

Re: (Score:1)

by MIPSPro ( 10156657 )

You are right. I'd also add that that I find it... interesting that they point all this "high powered" shit at FreeBSD and a bit lesser at Linux, yet not a smidge of evidence beyond "trust me bro" that they've ever tried the same with Windows. Almost as if they don't mind taking a swipe at FOSS, knowing it's not yet fully populated with lawyers yet, unlike MicroSlop (going to use that term since they hate it). Kinda odd they don't go after the most common and impactful OS, but they have time to find RCEs in

waiting for the report from FFMPEG (Score:2)

by oumuamua ( 6173784 )

FFMPEG can instantaneously crash Ubuntu, there must be some unsafe operation(s) in the codebase.

It's not hype if Mythos found 5 real bugs (Score:3)

by Echoez ( 562950 )

I think a few things are at play here: First, curl is an extremely solid project that's been around for decades and is pretty hardened at this point. And curl is itself a "small" project (in that it's a utility with a very focused use-case, as compared to an OS, or a SaaS platform, or hypervisor or software to control a self-driving car)

Second, Mythos (by his own admission) found 5 bugs. The fact that 3 of them were documented shortcomings doesn't negate away that it found them. One confirmed CVE was found, and will be fixed.

This wasn't AI slop generated nonsense; it produced a report where all 5 were found against one of the most hardened codebases on Earth. It's very likely that when this is run against biggest software that is less mature with a huge footprint, it will find more.

The AI Companies are pushing a lie! (Score:2)

by oldgraybeard ( 2939809 )

The only mythology here is that any of these companies have actually created Artificial Intelligence! They are pushing their massive automation operations as Intelligence!

The greatest lie of modern business!

Fool me thrice (Score:2)

by WaffleMonster ( 969671 )

This has been an ongoing marketing ploy for years. Hype new AI model only to find out it is at best only marginally better than previous iteration.

To know Edina is to reject it.
-- Dudley Riggs, "The Year the Grinch Stole the Election"