[helsinkiandrew]

Whatever the capabilities, there’s always a little hype, or at least the risk won’t be as great as thought:

> Due to our concerns about malicious applications of the technology, we are not releasing the trained model.

That was for GPT-2 https://openai.com/index/better-language-models/

[imInGoodCompany]

I think a certain level of hype is warranted for a model that can autonomously discover complex 27-year-old 0-days in OpenBSD for $20K[0]. We don't yet know what this does to the balance of attack/defense in OSS security, and we cannot know until the capability is widespread. My most hopeful guess is that it looks heavily in favor of attackers in the first 6-12 months while the oldest 0-days are still waiting to be discovered, before tipping in favor of defenders as the price goes down for Mythos-level models and the practice of using them for vulnerability review becomes widespread.

The absolute best case is at we end up with similar situation to modern cryptography, which is clearly in favor of defenders. One can imagine a world where a defender can run a codebase review for $X compute and patch all the low-hanging fruit, to the point where anything that remains for an attacker would cost $X*100000 (or some other large multiplier) to discover.

[0] https://red.anthropic.com/2026/mythos-preview/

[1una]

In the same article you linked:

> Due to concerns about large language models being used to generate deceptive, biased, or abusive language at scale, we are only releasing a much smaller version of GPT‑2 along with sampling code .

7 years later, these concerns seem pretty legit.