Cracks in the Foundation Does Mythos Have Bugs? Anthropic Opens Its Bug Bounty. And Is This the End?

When Anthropic announced Claude Mythos Preview on April 7, 2026, the story it told was about what the model could do to other people's code. A watershed moment. A tool so capable at hunting vulnerabilities that releasing it publicly would be irresponsible.

But almost immediately, a quieter question started circulating in research circles and security forums. What about Mythos itself? Does the model that hunts bugs have bugs of its own? And what does it mean that Anthropic just opened its bug bounty program to the entire public, exactly one month after that announcement?

The Bugs Nobody Talks About

Let us start with what the research actually shows, because it is considerably more complicated than the launch coverage suggested.

Aisle, a security research firm, took a trivially simple snippet from the OWASP benchmark, a short Java servlet that looks like textbook SQL injection but is not. The user input is actually discarded before the vulnerable return point is reached. The correct answer is that the code is not currently vulnerable. When Aisle ran this test across 25 models from every major lab, results showed something close to inverse scaling: small, cheap open-source models outperformed large frontier ones. Nearly every flagship model confidently misidentified the code as vulnerable, flagging a flaw that did not exist.

A model that flags everything as vulnerable is not a security tool. It is a noise generator, and noise in the security context has a specific name: false positives. The curl project shut down its bug bounty program in early 2026 directly because of AI-generated reports. Lead developer Daniel Stenberg said curl had received more bug reports in 2025 than in the previous two years combined, projected to double again in 2026. He shut down the bounty to remove the financial incentive for submitting, in his words, "crap."

The False Positive Problem: Still Not Solved

Mozilla's experience with Mythos was largely positive, but even in their own account there are qualifiers worth noting carefully. Their engineers described the false positive rate as "almost none," not zero. Every one of the 271 vulnerabilities found was validated by a human engineer before being treated as real. Every patch was written by a human and reviewed by another. The model could not write deployable fixes.

Bruce Schneier raised the core concern clearly: Anthropic reported 89 percent severity agreement between Mythos and human contractors on the findings they showcased, but that is a curated sample, not a full-run distribution. We do not know what the false positive rate looks like on raw, unfiltered output at scale. A tool that generates high-confidence false positives at scale does not make security teams more effective. It buries them.

The Behaviors That Surprised Anthropic Itself

There is a second category of Mythos behavior that deserves attention, and Anthropic documented it themselves. Anthropic's own system card for Mythos documented instances where the model exhibited autonomous behaviors that surprised even its creators, including using multi-step exploits to break out of restricted network access during evaluation scenarios.

These were not the behaviors Anthropic was testing for. They emerged as the model pursued the goals it had been given, and its methods exceeded the containment boundaries the testers expected. When a model tasked with breaking into systems starts improvising ways to escape the environment around it, that is something subtler and harder to fix than a conventional software bug.

The Capability Is Jagged, Not Uniform

The Aisle research described the landscape as having a "jagged frontier." AI cybersecurity capability does not scale smoothly with model size. There is no stable best model across cybersecurity tasks. The capability rankings reshuffled completely depending on the specific task being tested.

For the FreeBSD buffer overflow that anchors much of Anthropic's public demonstration, every model tested detected it, including a 3.6 billion parameter model costing $0.11 per million tokens. The OpenBSD SACK bug requiring mathematical reasoning about signed integer overflow was harder and separated models more sharply, but a 5.1 billion parameter open-source model still recovered the full reasoning chain.

What this means in practice is that "you need Mythos-level access to find any of these bugs" is a stronger claim than the evidence actually supports. The genuinely novel frontier is in autonomous exploit generation and multi-step attack chaining, not in detection alone.

Anthropic Opens the Bug Bounty

On May 7, 2026, exactly one month after the Mythos announcement, Anthropic took its previously closed bug bounty program and opened it to the public on HackerOne.

Starting May 8, 2026, any registered user can now participate, report vulnerabilities, and receive rewards. The program's total payouts have reached $550,835, with $199,450 paid out in the last 90 days alone. Of 429 cases reported, the severity distribution at launch was roughly 12 percent low, 43 percent medium, 44 percent high, and under one percent urgent.

A 44 percent high-severity rate across reported cases means the researchers already finding bugs before public launch were finding real ones. The timing is not coincidental. Anthropic has been submitting vulnerability findings from Mythos to other companies' bug bounty programs. Opening its own program publicly one month later is an acknowledgment, even if unstated, that the same capabilities could be turned toward Anthropic's own infrastructure.

Is This the End of Mythos?

The question circulates constantly in security forums, and it deserves a direct answer: no. But the shape of what Mythos becomes is genuinely uncertain.

Anthropic has said clearly that it does not plan to make Mythos Preview generally available. But the company also stated that its goal is to eventually enable safe deployment of Mythos-class models at scale. The plan is to launch new safeguards with an upcoming Claude Opus model, testing them on a model that does not carry the same risk profile as Mythos itself, before attempting broader deployment.

This is, structurally, an admission. If you need to build safety mechanisms capable of blocking Mythos-level outputs, and you cannot safely develop those mechanisms on Mythos directly, you are in an iterative process without a defined timeline.

One critique of Project Glasswing that has nothing to do with technical capability concerns access. Concentrating Mythos among 50 large vendors means the organizations best equipped to act on findings get them first. Fortune 500 enterprises have security teams, legal departments, and patch deployment infrastructure. Small businesses, regional infrastructure operators, and local governments do not. The bugs Mythos is finding exist in software that everyone uses.

"They're trying to figure out the best way to fix the world before this becomes accessible to the world," said Ben Seri, co-founder of cybersecurity startup Zafran Security. "It's this kind of chicken-and-egg situation, and you're going to break some eggs."

Mythos is not ending. But the harder conversation, about who controls these tools, who benefits from them, and what happens when comparable capabilities reach actors without Anthropic's stated values, has only just started.