#Mythos finds a #curl vulnerability

Reply to #Mythos finds a #curl vulnerability on Thu, 14 May 2026 17:47:38 GMT

oots@infosec.exchange — Thu, 14 May 2026 17:47:38 GMT

@das_robin @bagder
Yes, #Firefox is probably a few orders of magnitude more complex than #curl and definitely much bigger.

Still, the blog post explicitly mentions "In addition to fixing the 271 bugs identified by Claude Mythos Preview in the 150 release, we’ve shipped more of these fixes in 149.0.2, 150.0.1, and 150.0.2.", so >270 attributed to #Mythos *alone*.

Reply to #Mythos finds a #curl vulnerability on Thu, 14 May 2026 12:32:05 GMT

mikemcquaid@mastodon.social — Thu, 14 May 2026 12:32:05 GMT

@bagder This closely matches the experience Homebrew has also had with Mythos. Also one vulnerability found and in our case it was a pretty irrelevant one.

Reply to #Mythos finds a #curl vulnerability on Mon, 11 May 2026 16:44:01 GMT

elgringomexicano@mastodon.social — Mon, 11 May 2026 16:44:01 GMT

@bagder I picked 10 in the poll to play it safe, but 1 was my second choice and I'm not surprised at all. Long live #curl .

Reply to #Mythos finds a #curl vulnerability on Mon, 11 May 2026 16:36:54 GMT

uint8_t@chaos.social — Mon, 11 May 2026 16:36:54 GMT

@das_robin @oots @bagder there was this blog post dismissing lots of the myth https://www.flyingpenguin.com/the-boy-that-cried-mythos-verification-is-collapsing-trust-in-anthropic/

Reply to #Mythos finds a #curl vulnerability on Mon, 11 May 2026 13:41:39 GMT

peteriskrisjanis@toot.lv — Mon, 11 May 2026 13:41:39 GMT

@normis Normi, tu taču zini ka tas ir curl autors?

Reply to #Mythos finds a #curl vulnerability on Mon, 11 May 2026 13:37:01 GMT

utf_7@mastodon.social — Mon, 11 May 2026 13:37:01 GMT

@redsakana @bagder

llm tools found security issues in curl? doubt

Reply to #Mythos finds a #curl vulnerability on Mon, 11 May 2026 13:21:24 GMT

alterelefant@mastodontech.de — Mon, 11 May 2026 13:21:24 GMT

@totoroot
I admit it is very binary.
@bagder

Reply to #Mythos finds a #curl vulnerability on Mon, 11 May 2026 13:20:02 GMT

totoroot@ibe.social — Mon, 11 May 2026 13:20:02 GMT

@alterelefant@mastodontech.de @bagder@mastodon.social Are you a machine?
Classifying finding a single vulnerability (1) as success and 0 as failure sure seems like it
The world is not black and white and the usefulness of LLMs for finding vulnerabilities IMO isn't either

Reply to #Mythos finds a #curl vulnerability on Mon, 11 May 2026 12:59:50 GMT

rootwyrm@weird.autos — Mon, 11 May 2026 12:59:50 GMT

@bagder it's all marketing. And any improvements are completely moot, as the actual *costs* to find that single bug were in the tens of thousands of dollars minimum. That's the MINIMUM known cost.
It would not surprise me if finding that one bug cost $75k, $100k, $200k of compute time. It's a pile of shit, hilariously inefficient slop that sometimes behaves as a fuzzer that occasionally finds a crumb.

Reply to #Mythos finds a #curl vulnerability on Mon, 11 May 2026 12:40:38 GMT

peteriskrisjanis@toot.lv — Mon, 11 May 2026 12:40:38 GMT

@bagder ️this

Reply to #Mythos finds a #curl vulnerability on Mon, 11 May 2026 12:30:49 GMT

rugk@chaos.social — Mon, 11 May 2026 12:30:49 GMT

@das_robin @oots @bagder maybe @firefoxnightly can comment on that

Reply to #Mythos finds a #curl vulnerability on Mon, 11 May 2026 12:26:38 GMT

quinn@social.circl.lu — Mon, 11 May 2026 12:26:38 GMT

@0x0 @kleisli @bagder to be clear i picked that number out of my butt, but it is clear to me that it's going to be very hard to make up their investment in it, much less than the min 10x (which would probably be a couple trillion dollars)

Reply to #Mythos finds a #curl vulnerability on Mon, 11 May 2026 12:24:53 GMT

paco@infosec.exchange — Mon, 11 May 2026 12:24:53 GMT

@km Yeah. I didn’t mean it personally. I wasn’t criticising what you said, I’m sorry if I sounded that way.

I was just pointing out this constant theme. The only thing that ever is made public is the fully-polished, human-vetted final result. They carefully hide all other details and the press don’t care.

@bagder

Reply to #Mythos finds a #curl vulnerability on Mon, 11 May 2026 12:00:23 GMT

natanox@chaos.social — Mon, 11 May 2026 12:00:23 GMT

@4censord @gnirre @bagder Also, didn't they intentionally disable all mitigations, sandboxing etc. in Firefox *and* include every teeny tiny bug it found (without mentioning the false-positives, which were probably a metric shit ton) to bolster those numbers?

There were lots of shenanigans afaik.

Reply to #Mythos finds a #curl vulnerability on Mon, 11 May 2026 11:54:41 GMT

km@mastodon.babb.no — Mon, 11 May 2026 11:54:41 GMT

@paco @bagder yeah, let me clarify: i talked with people who not themselves used mythos, but whose org was given access, so yeah, they just told something which they were told

Reply to #Mythos finds a #curl vulnerability on Mon, 11 May 2026 11:49:43 GMT

paco@infosec.exchange — Mon, 11 May 2026 11:49:43 GMT

@km As far as I can tell:

No one who has worked with raw Mythos output has ever written about it.
No one who has written about it has ever used it.

They would much rather have @bagder writing about it because his opinion carries weight. That means he can’t have direct access. To give him access, they’d demand to gag him with an NDA, like everyone else who has access.

This technique of making readers mentally fill in the gaps between what is verifiable and what is claimed is genius marketing and really dishonest. But we have come to expect systematic and casual dishonesty from these companies.

Reply to #Mythos finds a #curl vulnerability on Mon, 11 May 2026 11:41:35 GMT

4censord@unfug.social — Mon, 11 May 2026 11:41:35 GMT

@gnirre @bagder with the most glancing of looks, looking at the 150 version of firefox (and some rounding),
curl: 200k lines of c
firefox:

5M lines of rust
9M lines of C and C++
200k lines of assembly
2M lines of python

so like, without looking at anything else, firefox is significantly bigger

Reply to #Mythos finds a #curl vulnerability on Mon, 11 May 2026 11:27:18 GMT

phl@mastodon.social — Mon, 11 May 2026 11:27:18 GMT

@bagder “On average, every single production source code line of curl has been written (and then rewritten) 4.14 times.”

curl is the ship of Theseus not once, not twice, but four times

Reply to #Mythos finds a #curl vulnerability on Mon, 11 May 2026 11:24:04 GMT

eobet@oldbytes.space — Mon, 11 May 2026 11:24:04 GMT

@bagder great, so even the Linux Foundation are naming things after the ultimate evil of a famous franchise? (Final Fantasy in this instance.)

Reply to #Mythos finds a #curl vulnerability on Mon, 11 May 2026 11:00:14 GMT

redsakana@infosec.exchange — Mon, 11 May 2026 11:00:14 GMT

@bagder This suggests a fun exercise for someone interested in messing around with LLMs:

1. Put back all the curl security issues previously found by LLM tools by dropping the fix commits from history or otherwise obfuscating the revert.

2. Feed the re-vulnerabilized repo to a selection of models and see what are the cheapest ones (by memory, time and/or monetary cost) that can find, say, 50%/75%/100% of the issues found by the warehouse-scale "foundation models".

Feels like a large part of the current results should be doable with significantly smaller resources, because being trained on every tweet and reddit post and libgen book ever is not obviously related to the task.

Reply to #Mythos finds a #curl vulnerability on Mon, 11 May 2026 10:36:13 GMT

0x0@hachyderm.io — Mon, 11 May 2026 10:36:13 GMT

@quinn

Especially if it's subscription-based, as these models seem to be good at finding only specific sets of problems and then dry out, but even 10k per use is really gov or big corpo territory.

@kleisli @bagder

Reply to #Mythos finds a #curl vulnerability on Mon, 11 May 2026 10:26:47 GMT

frankgevaerts@mastodon.social — Mon, 11 May 2026 10:26:47 GMT

@synlogic4242 @bagder Yes, someone really needs to get on to that rewriting thing. Just a pity there hasn't been a weekend in *years* so nobody had the chance!

Reply to #Mythos finds a #curl vulnerability on Mon, 11 May 2026 09:36:30 GMT

quinn@social.circl.lu — Mon, 11 May 2026 09:36:30 GMT

@kleisli @bagder
if it's something like 10,000 euros a pop, it might not be worth security scans and reviews, except for governmental clients.

Reply to #Mythos finds a #curl vulnerability on Mon, 11 May 2026 09:23:33 GMT

bagder@mastodon.social — Mon, 11 May 2026 09:23:33 GMT

@gnirre I don't know how much they asked or told A about when this was done. It's not "my" access, someone else has the access and ran the analysis