Hacker News new | ask | show | jobs
by Amekedl 34 days ago
I don't buy it. A lot of stuff this finds is also just simply wrong, benignly reported as true, despite upper/lower layers in the code burying the possibility of a vulnerability actually being exploited. It's a performance/security trade-off too, it always has been. Additional checks and other measures do in fact need to be performed for security purposes.

Great marketing as always, but the rose-tinted view many have seems vicariously misplaced.
3 comments
solenoid0937 34 days ago
In the article they describe how all the vulns are actually exploitable end to end and >1000 have been independently verified as critical.

These aren't unreachable vulns.

link
Amekedl 34 days ago
Where is the link to the advisories then? :/
link
skybrian 34 days ago
As the article explains, they mostly haven't been disclosed, because they're not fixed. They're giving people 90 days, or 45 after a patch is made.
link
gck1 34 days ago
> haven't been disclosed, because they're not fixed.

That's convinient.

But wait, don't they have this amazing AI that can fix all the issues itself with a single /goal command? What's the holdup?

link
solenoid0937 34 days ago
You should really read the article, every question asked so far in this thread has been very clearly answered.

I miss the days when HN would RTFA.

link
dyauspitr 34 days ago
He doesn’t want to read the article. He just wants to LLM bad.
link
TOMDM 34 days ago
From the article

> As we noted above, the bottleneck in fixing bugs like these is the human capacity to triage, report, and design and deploy patches for them.

...

> To begin, we’ve released Claude Security in public beta for Claude Enterprise customers. It’s a tool that helps teams scan their codebases for vulnerabilities, and which can generate proposed fixes for them. In the three weeks since launch, Claude Opus 4.7 has been used to patch over 2,100 vulnerabilities. (This is faster than the open-source patching described above in large part because enterprises are fixing their own code, whereas open-source fixes usually require volunteer maintainers who work through coordinated disclosure.)

Your critique of the article would likely land much better if you engaged with it.

link
solenoid0937 34 days ago
> The software industry’s longstanding convention is to disclose new vulnerabilities 90 days after they’re discovered (or, if a patch is created before the 90 days is up, around 45 days after the patch becomes available). This allows time for end users to update their software before a vulnerability can be exploited by attackers. Our own Coordinated Vulnerability Disclosure policy takes this approach.

> However, this means that disclosed vulnerabilities are a lagging indicator of the accelerating frontier of AI models’ cyber capabilities: we’re not yet at the point where we can fully detail our partners’ findings with Mythos Preview without putting end users at risk. Instead, we provide illustrative examples of the model’s performance, along with aggregate statistics on our progress to date. Once patches for the vulnerabilities that Mythos Preview has discovered are widely deployed, we’ll provide much more detail about what we’ve learned.

link
darkamaul 34 days ago
I guess you could look at https://red.anthropic.com/2026/cvd/ to see exactly what was discovered.
link
Amekedl 34 days ago
Thank you. Looking at the WebDAV in nginx, this is exactly what I searched for, wanted to read, and confirmed my suspicions ^^ But this one takes the cake truly... https://red.anthropic.com/2026/cvd/findings/ANT-2026-CN7KX43...
link
rafgg 34 days ago
Specially when this has been OAI/Anthropic's MO for years at this point.
link