# AI found 23,000 software bugs. The humans can't keep up.

> Claude Mythos found 6,202 critical bugs across 1,000 open-source projects, 90.6% validated.

*The impressive number is the find rate. The scary number is the fix rate.*

By The InsidersFeed Desk · InsidersFeed
Canonical: https://insidersfeed.com/news/mythos-found-bugs-humans-cant-patch

> **Key:** **The take:** this is one of the few AI capability claims that came with receipts — independent firms checked it. Good. The takeaway isn't 'AI is great at security'. It's that AI just industrialised the easy half of the job and left the hard half to overworked humans.

The numbers: 1,000 open-source projects scanned, **6,202 high/critical** vulnerabilities found (of 23,019 total), **90.6% validated** as real by six outside firms. Restricted to ~50 partners (AWS, Apple, Google, NVIDIA, JPMorgan), whose own bug-finding reportedly jumped more than tenfold. As capability demos go, this one's hard to wave away.

## The part that should worry you

Anthropic basically admitted it: finding bugs is now cheap, fixing them is not. A lot of critical open-source software is maintained by a handful of unpaid volunteers. Point an automated vulnerability-finder at it and you get thousands of real flaws — and a patching queue no volunteer can clear. Now imagine the same tool, unrestricted, in offensive hands.

> **Note:** **Credit where due:** Anthropic kept Mythos locked to vetted defenders, published independent validation, and put $100m of credits plus OpenSSF support behind the patching problem it created. That's the responsible version of dropping this bomb. Doesn't make the asymmetry less real.

So file this under 'capability shift, confirmed' — and under 'the bottleneck moved'. For a decade the hard part of security was *finding* the holes. Mythos says that era is ending. The new hard part is the boring, human, under-funded work of closing them before someone else walks through.

## FAQ

### Should I be worried about all these vulnerabilities?
Mostly these are being found by defenders and disclosed responsibly, and many examples are already patched. The real concern is structural: AI finds bugs faster than volunteer maintainers can fix them, so the gap between discovery and patching is now the weak point.

### Can attackers use this kind of AI too?
That's exactly why Anthropic restricts Mythos to ~50 vetted defensive partners and hasn't released it publicly. The same capability that helps defenders find flaws could help attackers build exploits — the asymmetry cuts both ways.