Read this https://daniel.haxx.se/blog/2026/05/11/m...

The blog post by Daniel Stenberg (the lead developer of curl) is accurate as reported. It describes his experience having the Mythos AI model (from Anthropic) scan the curl codebase.

Fact Check Summary

• Did Mythos find a vulnerability? Yes, but only one confirmed low-severity vulnerability.
• The Context: Anthropic had generated significant media hype, claiming Mythos was "dangerously good" at finding security flaws and was too powerful for public release.
• The Findings: The initial report provided to Stenberg claimed there were five "confirmed security vulnerabilities". After manual review by the curl security team, it was determined that:
  • Three were false positives (shortcomings already covered in API documentation).
  • One was deemed "just a bug," not a security vulnerability.
  • One was a confirmed, low-severity security vulnerability.
• Conclusion: Stenberg characterized the intense hype surrounding the model as "primarily marketing," noting that while AI-powered analysis is a useful tool, Mythos did not live up to the "dangerously good" reputation suggested by the media.

How Mythos "Found" the Vulnerability

Mythos did not have direct, autonomous access to the curl repository to perform a live audit. Instead, the process functioned as follows:

1. Access via Program: Under the Linux Foundation’s "Project Glasswing," certain organizations were granted access to the Mythos model.
2. Report Generation: Because Stenberg did not receive direct access, an unnamed party who did have access ran the Mythos model against a specific commit in curl’s src/ and lib/ directories (totaling roughly 178,000 lines of code) and generated a report.
3. Analysis: The report provided to Stenberg included the model's findings, which the curl security team then had to manually investigate and triage to separate actual vulnerabilities from false positives and non-security bugs.