Anthropic lets Mythos partners share cyber findings beyond Glasswing

Reuters reports that Anthropic has changed an important part of the Claude Mythos rollout: who may be told about the vulnerabilities the model finds.

Anthropic now says partners in Project Glasswing may share information about cyber threats and vulnerabilities with others that could be exposed to the same flaws. The permission is not limited to Glasswing participants. According to Reuters, partners may share findings, best practices, tools and code with security teams at other companies, industry bodies, regulators, government agencies, open-source maintainers, the media or the public, as long as responsible-disclosure norms are followed.

This is not a small process tweak.

Mythos is not a normal security scanner. Anthropic has described Claude Mythos Preview as a model with unusually strong coding and vulnerability capabilities. Project Glasswing was launched with partners including Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA and Palo Alto Networks. The stated goal was to put a non-public frontier model to work on defensive security before similar capabilities spread more broadly.

The center of gravity is now moving from closed access to coordinated disclosure. That is a governance story.

Reuters writes that partners initially wanted confidentiality because the findings could be sensitive, and because companies could become targets if details about vulnerabilities leaked. Anthropic says there was never a specific Glasswing NDA, but that confidentiality protections were built into the agreements signed by partners.

The company now says the program has matured. More information should be shareable broadly for maximum defensive impact.

For CIOs and CISOs, the message is direct: AI-driven vulnerability discovery is making old disclosure routines too slow.

When a model can find flaws in operating systems, browsers, libraries and internal code faster than traditional teams, it is no longer enough to have one internal security mailbox and a vague supplier clause. Leadership needs to know who may receive a finding, who may pass it on, when open-source maintainers should be notified, and when regulators or customers need to be brought into the loop.

That requires three things.

First: contracts that distinguish secrecy from responsible sharing. Suppliers should not be able to hide critical findings behind broad confidentiality language if other customers or shared components are exposed.

Second: patch SLAs built for AI speed. A finding that used to arrive from a quarterly penetration test may now come from a model scanning large codebases continuously. Change windows, risk scoring and exceptions have to be treated as operations, not as improvised crisis management.

Third: traceability. If a partner shares code, a proof of concept or a detection rule, the enterprise needs to show what was received, who approved use, which systems were affected and when the issue was closed.

This matters most for banks, healthcare, energy, public-sector organizations and software suppliers to critical processes. These environments depend on components they do not fully control. An AI model may find the flaw. The hard part is getting the right information to the right owner without handing attackers a ready-made recipe.

That is why this Reuters story should be read alongside the wider Mythos coverage from the past weeks. The model is not just a product story. It changes how vulnerabilities are found, prioritized, shared and patched. That is security operations, supplier governance and board risk in the same workflow.

The practical test for executives is simple: if a supplier tomorrow finds a critical flaw in a component you use, with help from a closed AI model, who is allowed to tell you what? And how fast can you act on it?

If the answer requires a meeting to decide who owns the process, the process is too weak.

Sources and media

• Primary source: Reuters, "Anthropic to let partners share Mythos cybersecurity findings with others", published May 18, 2026: https://www.reuters.com/technology/anthropic-let-partners-share-mythos-cybersecurity-findings-with-others-2026-05-18/
• Context: Anthropic, Project Glasswing: https://www.anthropic.com/glasswing
• The Reuters image in the original article is not rehosted. Thumbnail: OpenAI Image 2 / hogby.ai.