1,611 Bugs Found, 27 Fixed: Anthropic's Fire Hose Problem
Table of contents
The Scoreboard Nobody Wants to Talk About
Anthropic's disclosure ledger at red.anthropic.com is the most transparent vulnerability tracker any AI company has ever published. It is also the most damning indictment of the gap between AI capability and human capacity that exists anywhere on the internet right now.
The numbers as of May 22, 2026:
23,019 vulnerability candidates discovered by Claude Mythos Preview across 1,000+ open source projects. 1,900 sent to external security research firms for human triage. 1,726 confirmed as real vulnerabilities. That is a 90.8% true positive rate. 1,596 disclosed to maintainers across 281 projects. 97 patched upstream. 88 assigned a CVE or GHSA.
Read that again. 23,019 found. 97 fixed. That is a 0.4% remediation rate.
On the ledger itself, the user-facing view is even starker. 1,611 entries. 27 marked as fixed. 1,596 disclosed. 15 still in pre-disclosure. Zero withdrawn.
Anthropic built a machine that finds vulnerabilities faster than the entire open source ecosystem can fix them. And then they published a public scoreboard proving it.
What Mythos Actually Found
This is not a scanner spitting out low-confidence noise. The findings include vulnerabilities in software that runs the internet.
nginx: A heap buffer overflow in the WebDAV module that allows unauthenticated remote file writes. nginx sits in front of roughly 34% of all websites. CVE-2026-27654.
wolfSSL: Multiple critical and high-severity vulnerabilities including nonce reuse in TLS 1.2 encryption, universal signature forgery, certificate validation bypass, and tag truncation attacks. wolfSSL is embedded in over 5 billion devices. Eight CVEs assigned across one library.
Temporal: Cross-namespace manipulation allowing deletion of workflows on the same cluster. CVE-2026-5199, rated critical. Temporal is the workflow engine behind a significant chunk of enterprise microservices.
HashiCorp Nomad: Path traversal in the host volume manager. CVE-2026-7474, rated critical. Nomad manages workload orchestration for organizations running at scale.
Ghost CMS: SQL injection in the Content API. GHSA-w52v-v783-gw97, rated critical. Ghost powers thousands of publications.
Mastodon: Signature bypass via JSON-LD restructuring plus SSRF bypass via IPv6. Two high-severity findings in the largest decentralized social network.
FreeRDP: Multiple heap buffer overflows including attacker-controlled offset writes. FreeRDP is the default remote desktop client on most Linux distributions.
ImageMagick: Heap buffer overflow in MVG pattern rendering. ImageMagick processes images on millions of servers.
These are not theoretical vulnerabilities. They are exploitable bugs in production software used by billions of people. And Mythos found them autonomously.
The Asymmetry Problem
Here is the fundamental issue that Anthropic's ledger makes impossible to ignore.
AI scales discovery. Humans do not scale patching.
Mythos Preview found 23,019 candidates in roughly three months of scanning. The six external security research firms Anthropic hired can review about 1,900 in that same period. Maintainers have managed to patch 97.
The pipeline looks like this: 23,019 in. 1,900 triaged. 1,596 disclosed. 97 fixed. Each step loses an order of magnitude.
Mozilla's numbers illustrate the scale shift perfectly. During testing of Firefox 148, Claude Opus 4.6 found 27 vulnerabilities. During testing of Firefox 150, Mythos Preview found 271. A 10x improvement in one model generation. Cloudflare found 2,000 vulnerabilities across its repos, 400 of them high or critical severity.
Palo Alto Networks released more than five times its usual patch volume in a recent update cycle. Microsoft said monthly patch totals will "continue trending larger for some time."
And this is with roughly 50 partners. Anthropic has not released Mythos to the public yet.
The 90-Day Clock
Anthropic follows the industry standard 90-day coordinated vulnerability disclosure timeline. Once a maintainer is notified, they have 90 days to patch before details go public. Extensions of 14 days are available on request. For actively exploited critical vulnerabilities, the window shrinks to 7 days.
There is also a 7-day compressed timeline for actively exploited critical vulnerabilities, with one possible 7-day extension if the maintainer is actively working on a fix.
A separate 30-day clock runs in parallel. If a maintainer does not respond to the initial report within 30 days, Anthropic escalates the finding to an external vulnerability coordinator like CERT/CC. The 90-day disclosure deadline still applies regardless. The 30-day trigger does not shorten it. It just means an unresponsive maintainer gets bypassed.
This is standard practice. Google's Project Zero uses a similar timeline. It is well-understood and generally accepted as a reasonable balance between giving maintainers time and protecting the public through transparency.
But Project Zero discloses maybe 100-200 bugs per year across all of its researchers.
Anthropic disclosed 1,596 in three months. To 281 different projects. Many maintained by volunteers.
The 90-day clock that works for Google disclosing bugs to full-time security teams at Apple and Microsoft becomes something very different when applied to a solo maintainer running a project in their spare time.
Anthropic acknowledges this directly on their dashboard. They note that "several maintainers have told us they're currently severely capacity constrained, and some have even asked us to slow down the rate of our disclosures."
Some maintainers have not responded to reports at all. After 30 days of silence, Anthropic's policy is to escalate to an external vulnerability coordinator and proceed to public disclosure when the timeline expires.
The implications are clear. Some of these 1,596 disclosed vulnerabilities will become public not because they have been fixed but because the 90-day window closed and the maintainer did not have the capacity to patch them.
The Cryptographic Receipts
The disclosure ledger itself is an interesting piece of engineering. Every finding gets a SHA-3-512 hash of the sealed report published immediately as proof of possession. The hash is committed before the maintainer is even notified. The project name, bug class, and identifier are hidden behind dashes until the disclosure window closes.
This means Anthropic has a cryptographic proof of exactly when they knew about each vulnerability. It also means anyone watching the ledger can see the volume of undisclosed bugs accumulating in real time without knowing what they are.
As of the latest snapshot, rows and rows of entries show dates, hashes, and dashes where the project and bug class should be. Disclosed but not yet public. Ticking clocks.
The provenance system is genuinely well-designed. Every dashboard snapshot gets a manifest hash. The structured payload is published as machine-readable JSON. Archived snapshots remain available at dated paths so historical figures can be verified. This is transparency done right from a cryptographic standpoint.
But transparency about a problem is not the same as solving it.
The Severity Agreement Problem
The dashboard includes a severity agreement matrix comparing Mythos's initial assessments against the external security firms' assessments. The numbers are revealing.
Of 463 findings that went through this comparison, Mythos and the human reviewers agreed on exact severity 58.7% of the time. They agreed within one severity band 94.4% of the time.
But the disagreements skew in a specific direction. Mythos rated 145 findings as critical that the external firms downgraded to high. It rated 19 as critical that firms downgraded to low. The pattern is consistent: Mythos over-assesses severity.
Anthropic explains this by noting that maintainers apply project-specific context that Mythos does not have at runtime. A buffer overflow in a library that only processes trusted input might be technically critical but practically low risk. The human reviewers incorporate that context.
This matters because the headline numbers everyone repeats are the Mythos numbers. 23,019 findings. 10,000+ high and critical. But the human-reviewed reality is more nuanced. Still alarming. But more nuanced.
What the Critics Are Saying
The reaction to Anthropic's disclosure program has been polarized.
Dr. Heidy Khlaaf, chief AI scientist at the AI Now Institute, questioned the benchmarking transparency and evaluation methodology, arguing that Anthropic had not disclosed sufficient comparisons against established static analysis and security tooling. The question is valid. How much of what Mythos found would a well-configured CodeQL or Semgrep setup have caught? Anthropic has not published that comparison.
The New Stack ran a piece highlighting the contradiction between Anthropic claiming advanced AI-driven vulnerability discovery while simultaneously launching a traditional human-led bug bounty program on HackerOne.
Cybernews noted that while big companies like Cloudflare, Amazon, and Nvidia can handle the bug volume, regular developers simply cannot sort through all the AI-generated reports.
The Cloud Security Alliance published a research note on what they called the "autonomous offensive threshold," questioning whether the existence of Mythos-class models fundamentally changes the threat landscape regardless of whether Anthropic releases them responsibly.
Control Risks, the global risk consultancy, published an analysis on what the Mythos disclosure means for cyber risk governance, suggesting boards need to reconsider their vulnerability management assumptions.
The Uncomfortable Math
Let us do the math that nobody wants to do.
Anthropic found 23,019 vulnerability candidates. They had the capacity to triage 1,900 through external firms. That leaves 21,119 candidates that have not been independently verified. Some are false positives. Many are real bugs in real software that are sitting in a queue waiting for human review.
Of the 1,596 that made it to maintainers, 97 have been patched. A 6.1% patch rate. And those 97 patches do not mean the vulnerability is gone from the wild. Patched upstream means the fix exists. It does not mean every downstream user has applied it.
The average high or critical severity bug takes two weeks to patch once the maintainer starts working on it. Many maintainers have not started. The 90-day clock keeps ticking.
At the current discovery rate, Mythos will have identified roughly 50,000-75,000 vulnerability candidates by year end. The triage and patching capacity of the open source ecosystem will not have scaled to match. It cannot. There is no mechanism for it to.
Anthropic partnered with the Open Source Security Foundation's Alpha-Omega project to help maintainers process reports. But Alpha-Omega's annual budget is roughly $4 million. Anthropic is a $60 billion company pointing an AI model at the work of volunteers and asking a $4 million nonprofit to help them cope with the output.
What Anthropic Got Right
This is where the teardown gets complicated. Because despite everything above, Anthropic's approach is meaningfully better than the alternative.
The disclosure ledger is the most transparent vulnerability tracking system any organization has published. Cryptographic commitments. Machine-readable data. Public dashboard with real numbers. The severity agreement matrix showing where their AI over-assesses. The explicit acknowledgment that maintainers are overwhelmed.
They engaged six external security research firms for independent human triage rather than dumping raw AI output on maintainers. The 90.8% true positive rate suggests Mythos is not generating noise. These are real bugs.
They follow the 90-day standard rather than racing to publish. They offer extensions. They pace submissions to what maintainers can absorb. They partnered with Alpha-Omega.
The wolfSSL critical vulnerability affecting 5 billion devices was patched in one day after disclosure. The Temporal and Nomad critical bugs were patched promptly. When maintainers engage, the system works.
And the alternative to Anthropic finding these bugs is not that the bugs do not exist. The alternative is that the same class of AI models, in the hands of threat actors who do not follow responsible disclosure, find them first. Every vulnerability sitting in that ledger is a vulnerability that an attacker's version of Mythos could also find.
Anthropic published the uncomfortable truth: the bottleneck in software security has permanently shifted from discovery to remediation. They did not create that problem. They revealed it. But they did so at a scale that has overwhelmed the people who have to deal with the consequences.
The Real Question
The disclosure ledger is not just a transparency exercise. It is a signal.
Anthropic has not released Mythos to the public. When they do, or when competitors release equivalent models, every script kiddie on the planet will have access to a vulnerability discovery engine that outperforms most professional security teams.
The question is not whether AI-scale vulnerability discovery is coming. It is here. The question is whether the remediation ecosystem can adapt before the 90-day clocks run out.
Look at the ledger. 1,611 entries. 27 fixed. 1,596 disclosed. The clocks are already ticking.
And Mythos is still in preview.