[pbmonster]

curl had ~15 CVEs in 2026 so far. You surely don't think those (and the one Mythos found) were the last security bugs still left in the code base? There certainly will be more, in fact Daniel predicts ~50 CVEs for the entire year.

But Mythos found 1. After all that hype. 1.

[knowaveragejoe]

Maybe curl is just... better hardened? Firefox posted hundreds in April.

[pbmonster]

That's not the argument. Yes, curl is insanely hardened. But still, they currently have a new CVE every couple of weeks. Mythos didn't accelerate this much, no more than all the other AI-assisted security analysis they've been doing anyway.

Which either means that, tragically for Mythos, it only got to analyze the code base just after ALL the bugs where finally ironed out and now curl is bug free forever after - or Mythos isn't really all that good, dozens/hundreds more bugs remain and will be found in the next months and years.

I just think the former is a bit unlikely.