Anthropic loosens Mythos sharing rules, partners can now disclose vulnerabilities

On May 18, Anthropic changed its policy: previously, partners using Mythos to discover vulnerabilities had to keep findings internal; now they can share them with each other, regulators, media, and even publicly.

The shift is a significant correction to the logic of the Mythos program.

Previous policy was completed

Mythos, launched on April 7, is an AI model trained on Claude specifically for attack discovery, scanning common software for unknown vulnerabilities. It was not sold publicly but distributed through Project Glasswing, a controlled program with 40 companies including Amazon, Microsoft, Nvidia, and Apple. The design aimed to limit diffusion—an AI that finds vulnerabilities could be weaponized if misused.

Under the original terms, partners could only handle discovered vulnerabilities internally. This created an awkward situation:

Palo Alto Networks recently used Mythos to scan its own products, uncovering 75 vulnerabilities in one month—seven times its normal rate.

If Palo Alto couldn't share findings, the entire industry's security level would only rise within Glasswing, leaving other companies using the same vulnerable products unaware.

What changed and who can share

According to an Anthropic spokesperson speaking to Reuters:

"We fully support our partners sharing findings with each other and companies outside of Glasswing to triage vulnerabilities."

Partners can now share Mythos-discovered vulnerabilities with:

  • Other Glasswing members
  • Companies outside Glasswing (affected vendors)
  • Industry organizations
  • Regulators and governments
  • Open-source software maintainers
  • Media
  • The public

Provided they follow responsible disclosure norms—giving vendors a fix window before public disclosure.

Why the change now

This was not Anthropic's initiative but driven by partner demands. Partners worried that knowing a vulnerability alone made them a target. For example, if Company A used Mythos to find a zero-day in a popular database, under the old rules it could only silently patch its own deployment. But attackers could infer the vulnerability from the patch, exposing all other users of that database.

The policy loosening effectively turns "defense information" from a private commodity back into a public good—aligning with the security community's consensus on early, broad, coordinated disclosure.

Regulators are also reaching out

According to PYMNTS and BusinessToday, Anthropic agreed to brief the Financial Stability Board (FSB) on Mythos's capabilities and findings. This follows concerns from central bankers, Powell, and Bessent after Mythos's launch in April-May, and interest from Asian and European financial regulators. Anthropic has now opened a communication channel.

What this means

Looking at the timeline:

  • April 7: Mythos launched, completed testing
  • April-May: Glasswing members disclosed findings, central bankers alarmed
  • May 18: Policy reversal, findings shareable

In just 40 days, Anthropic moved from strict diffusion control to encouraging sharing. The key driver was partner data proving Mythos's attack-discovery capability is structurally superior, not incidental.

The next question is whether Glasswing will expand. If Anthropic scales from 40 to 100 or 200 companies, the program could evolve from a showcase pilot into industry infrastructure.

A question now on every major company's table: If your security team doesn't use AI, and your adversaries do, what's your plan?

Sources: Anthropic to let partners share Mythos cybersecurity findings with others (Reuters via Investing.com / KFGO / CGTN); Anthropic Will Update Regulators on Mythos' Cyber Vulnerability Findings (PYMNTS); Anthropic's Mythos AI raises banking cyber risk concerns, FSB briefing planned (BusinessToday); CocoLoop; Anthropic's Mythos Feature Enhances Cyber Threat Sharing (DevDiscourse)