Project Glasswing Partners Can Now Share Mythos Findings Beyond the Program
May 19, 2026 – 7:19 am
Project Glasswing partners can now pass vulnerability findings to other security teams, industry bodies, regulators, open-source maintainers, and the press, adhering to responsible-disclosure norms. The defender pool just expanded significantly.
Anthropic announced on Monday a revision to its disclosure policy on Mythos, an unreleased cybersecurity-focused AI model part of the Project Glasswing controlled-access program. This change allows partners using Mythos to share cyber threat intelligence with a wide range of parties, including:
- Other companies’ security teams
- Industry bodies
- Regulators and government agencies
- Open-source maintainers
- Media and the public
Previously, Anthropic’s policy was more restrictive, keeping findings within the partner program and escalating them to Anthropic itself. The shift is significant due to Mythos’ findings:
- On Anthropic’s own disclosures, the model has identified thousands of zero-day vulnerabilities across major operating systems and browsers in internal testing.
- It has successfully exploited these flaws on the first attempt in over 83% of cases.
Project Glasswing partners include prominent tech giants like AWS, Apple, Google, Microsoft, Nvidia, Cisco, and JPMorgan, making their findings a substantial subset of the modern enterprise attack surface.
This change also aligns with regulatory developments. Anthropic is preparing to brief the Financial Stability Board on its findings within financial services infrastructure at the request of Bank of England Governor Andrew Bailey. Regulators from around the world, including ASIC, the Fed, the Bank of England, the European Central Bank, the US Treasury, and several Asian regulators, are involved in coordinated monitoring.
The disclosure policy loosening reflects regulator demands for vulnerability findings to be shared more widely rather than held within a partner program excluding most financial supervision bodies.
Additionally, the Pentagon has been deploying Mythos to identify and patch software vulnerabilities across US government systems while transitioning away from Anthropic, as per the Defense Department’s top technology official. UK banks received their own Mythos briefing earlier this month; the new sharing rules facilitate such briefings.