Partners of Project Glasswing can now disseminate Mythos findings beyond the scope of the program.

      The partners of Project Glasswing can now share vulnerability findings with other security teams, industry organizations, regulators, open-source maintainers, and the media, in accordance with responsible-disclosure practices. This expands the pool of defenders.

      On Monday, Anthropic announced it is updating its previous disclosure policy regarding Mythos, the not-yet-released AI model focused on cybersecurity that is part of its controlled-access Project Glasswing program.

      The update will permit partners utilizing Mythos to exchange information about cyber threats with other entities that might be vulnerable to the same issues, instead of confining their findings within their original partner organization.

      The range of parties with whom partners can now share information is intentionally broad, including security teams from various companies, industry organizations, regulators, government agencies, open-source maintainers, the media, and the general public, all adhering to responsible-disclosure protocols.

      Previously, Anthropic's approach was much more restrictive, with findings kept within the partner program and reported upward to Anthropic itself rather than shared with the broader defender community.

      This change is significant in light of what Mythos has discovered. According to Anthropic’s own reports, the model has identified thousands of zero-day vulnerabilities across major operating systems and browsers during internal testing and has shown the capability to create successful exploits against these flaws on the first attempt in over 83% of cases.

      The list of Project Glasswing partners includes major companies such as Amazon Web Services, Apple, Google, Microsoft, Nvidia, Cisco, and JPMorgan, making the findings disseminated within this group a notable representation of the current enterprise attack surface.

      This change also aligns with a broader regulatory context that Anthropic is navigating. The company is preparing to inform the Financial Stability Board about what Mythos has uncovered within financial-services infrastructure, following a request from Bank of England Governor Andrew Bailey.

      The coordinated monitoring group includes ASIC, the Federal Reserve, the Bank of England, the European Central Bank, the US Treasury, and several regulators from Asia.

      The relaxation of the disclosure policy aligns with what regulators involved in those discussions have been advocating for privately: that vulnerability findings should not be tightly controlled within a partner program that excludes much of the financial supervision community.

      There is also an operational aspect to note. According to the top technology official at the Defense Department last week, the Pentagon has been using Mythos to identify and patch software vulnerabilities throughout the US government while simultaneously trying to distance itself from Anthropic, amid the complex relationship established during the Trump administration.

      Earlier this month, UK banks received their own briefing on Mythos; the new partner-sharing rules now enable those briefings to reach further downstream in ways the previous structure did not allow.

      The technical and policy mechanics governing responsible disclosure remain a limiting factor. Anthropic’s updated policy, as stated in the released text, retains the requirement that sharing be coordinated in line with standard responsible-disclosure practices, which include reasonable timelines for patching and limitations on discloseable details that could be weaponized.

      However, the change does not address the structural imbalance that critics have been highlighting for two months: that the 40 to 50 organizations involved in Project Glasswing receive the defender’s insights on Mythos before the rest of the global enterprise ecosystem, and that this imbalance is now being extended through the new partner-sharing rules rather than being alleviated by broader direct access.

      Anthropic has consistently presented the controlled-access program as designed to provide defenders with an advantage over prospective adversaries using similar capabilities.

      The revised sharing rules represent the most significant operational development arising from this perspective since Mythos was initially revealed in April.