AI Vulnerability Coordination at Vulnapalooza: First Mythos Encore

In April, as Anthropic's Claude Mythos Preview took the world stage, I gave festival survival guidance for the coming Vulnapalooza. Anthropic's first Project Glasswing update is the first of many encores to come. Fire up the Memorial Day weekend smoker, this BBQ of bugs is going to take a long time to resolve.

New AI Band Members, Same Vulnerability Coordination Song

Since the Mythos Preview release, roughly 50 partners used it to find more than 10,000 high- or critical-severity vulnerabilities in the world's most systemically important software. Cloudflare surfaced 2,000 bugs across its critical-path systems. Mozilla fixed 271 vulnerabilities in a single Firefox release. Microsoft says its monthly patch volume will keep “trending larger for some time.”

We’ve beaten the drum for over a decade that finding bugs was never the hardest part. It’s the processes after: context-aware triage, impact assessment, remediation design and implementation, and testing.

These internal processes described by ISO 30111, which I coauthored, have been underdeveloped at most organizations for decades.

AI is shining a spotlight on that now.

In This Club, Everyone Has Bottle(neck) Service

While the bug beat pumps fast, two bottlenecks sit at opposite ends of the bar. One is patch creation; one is patch deployment. Anthropic published a live coordinated vulnerability disclosure dashboard tracking every finding piling up at the patch creation end of the bar. As of its May 22, 2026 snapshot, Mythos Preview had surfaced 23,019 candidate vulnerabilities; 1,596 were reported to maintainers across 281 open-source projects, and only 97 were patched.

Writing comprehensive, regression-tested patches is human-paced work. Even when AI supplies the fix, the testing that follows needs human review to confirm it does not break functionality or interoperability. Until a trustworthy automated pipeline exists for AI patch creation and testing, this bottleneck holds.

The disclosure pipeline narrows sharply at the patch stage: fixes are created far slower than bugs are found. Source: Anthropic CVD dashboard, snapshot 22 May 2026.

The cliff from 1,596 reported bugs to only 6% patched shows the bottlenect hitting every organization.

Some patch creation delays hide in what we call Tier 2 Triage. Among the “true positives” are duplicates and "'won't fix' issues: the bug is real, but the maintainer is unlikely to address it because it falls outside the project's threat model or affects unreachable code."

Duplicates Are a Signal: Luta Security sees higher duplicate rates in less mature software and in organizations slow to create or apply patches.

Schedule a free Maturity Assessment to find out your baseline maturity and capabilities.

AI is Cranking Up the Heat on Exploitation

The second bottleneck waits downstream. Once fixes ship in volume, the pressure shifts to patch deployment, and “patch faster” does not scale when the queue is ten times longer than last year. The Vulnapalooza survival guide named what does scale: reduce your attack surface, and improve intrusion detection to catch exploitation in the gap between a patch being published and applied.

The 2026 Verizon DBIR found vulnerability exploitation was the initial access vector in 31% of breaches in 2025, the top entry point for the first time in the report's history, up from roughly 5% in 2023. The exploited bugs are overwhelmingly ones where a patch exists but has not been applied to vulnerable systems. Anthropic expects Mythos-class models to emerge publicly within six to eighteen months. As more capable AI modela proliferate, both bottlenecks worsen: more patches waiting to be written, more waiting to deploy.

We Marinated Before We Cooked

When the pandemic hit in 2020, Zoom saw its inbound vulnerability volume spike almost overnight, just like everyone is seeing now. We matured their vulnerability handling and flattened their case load by 37% in weeks.

This process of investigating and fixing bugs applies even when you turn AI inward to find bugs yourself.

In 2020, when CISA directed every federal agency to stand up a vulnerability disclosure channel, we warned that it was like advertising your great uncle's prize-winning BBQ without first building him an industrial kitchen: open the order window with no prep cooks and no smoker tending behind it, and all you serve is half-baked mitigations, very slowly.

Our Vulnerability Coordination Maturity Model is a way to benchmark where those critical workflows stand and build organizational muscle memory. The Cyber Safety Review Board found the same in the Log4j response: the teams that fared best had already built the muscle, not improvised under pressure.

The Vulnapalooza vulnerability surge is spilling out of the festival grounds into everyone's backyard, and the Glasswing dashboard indicates we're just preheating the grill. The teams that show up prepared, with mature processes and time-tested recipes, will spend more holiday weekends as intended: with family at the BBQ, not over takeout in a situation room.

Katie Moussouris is the founder and CEO of Luta Security, a company that specializes in exactly this kind of vulnerability coordination and management you're scrambling to do better right now. She designed Microsoft Vulnerability Research, the first multiparty vulnerability coordination program at Microsoft, and served on the Cyber Safety Review Board. She is a pioneer of bug bounties and vulnerability disclosure, having coauthored the international standards for vulnerability disclosure and handling, created Microsoft’s and the Pentagon’s first bug bounties, and the UK government’s first Vulnerability Disclosure Program.