[yjftsjthsd-h]

> Not particularly “dangerous”

I'm not sure that follows. As noted, curl was already analyzed to death with every tool available; most software isn't at that level.

[anygivnthursday]

But Mythos is not marketed as a tool that can do the same as other tools already available maybe slightly better, but as a revolution.

[abirch]

I'm agnostic with Anthropic/Mythos but if there aren't any vulnerabilities there it's hard to find it.

Until we find vulnerabilities in curl that Mythos missed, it's hard to say how good it is.

[nicce]

Would have like to see analysis against curl repo where the commit level is one day after the Mythos training data cutoff. And disable access to the internet.

[billyoneal]

No. The goal posts are not disproving their marketing. The burden of proof is on the people doing the marketing.

[matltc]

Mythos is either dangerous or not. We are taking dangerous to mean that the number of vulns it finds will be much greater than bugs found with available tools.

Since mythos found only one additional vuln, and since x+1 is not much greater than x, it follows that mythos is not dangerous per the definition above.

[skybrian]

It doesn’t follow because the results for curl don’t necessarily generalize to other codebases. It’s evidence against Mythos being particularly dangerous, but it’s just one datapoint.

It doesn’t invalidate the other security bugs Mythos allegedly found in other codebases.

[bilekas]

I don't think I understand what you mean, the "not particularly dangerous" comment was in relation to the vulnerability that was found right ? Surely they would know what constitutes a lower severity level.

[vidarh]

The "not particularly dangerous" is a headline for a section talking about Mythos, not the vulnerability.

[bilekas]

Ah okay, that makes a bit more sense. I read it wrong. Then the comment is absolutely fair.

[Ekaros]

My guess is that it is in category of "you are holding it wrong". Still worth fixing, but requires very specific user input for example. Or very weird scenario. Or in some less used protocol or flag combination.

[croon]

Sure, but isn't it a verdict on Mythos compared to other models?

If so, it would still follow. "Most software" isn't analyzed as much as curl, by either other tooling or other models, that might well find close to the same as Mythos did. As such, Mythos then isn't especially/particularly dangerous.

[Sharlin]

Curl is currently receiving a record number of high-quality bug/vuln reports (a rather sharp change from the earlier slop inundation), so it’s not like there’s nothing to find. Many or most of these are presumably found by human experts assisted by AI tools, but if Mythos were truly revolutionary, it should be able to find such issues on its own.

https://daniel.haxx.se/blog/2026/04/22/high-quality-chaos/, linked from TFA

[galangalalgol]

Is there a list of infrastructure that has received this kind of focus? Clearly people are looking at the linux kernel, hopefully openssl?

[snackerblues]

From article:

> I did a quick unscientific poll on Mastodon to see if other Open Source projects see the same trends and man, do they! Friends from the following projects confirmed that they too see this trend. Of course the exact numbers and volumes vary, but it shows its not unique to any specific project.

> Apache httpd, BIND, curl, Django, Elasticsearch Python client, Firefox, git, glibc, GnuTLS, GStreamer, Haproxy, Immich, libssh, libtiff, Linux kernel, OpenLDAP, PowerDNS, python, Prometheus, Ruby, Sequoia PGP, strongSwan, Temporal, Unbound, urllib3, Vikunja, Wireshark, wolfSSL, …