AI for Regular People
TL;DR
Anthropic revised its Mythos disclosure policy on May 18, 2026, allowing Project Glasswing partners to share vulnerability findings with regulators, open source maintainers, the media, and the public. Subject to responsible disclosure norms. The partner roster includes Amazon, Microsoft, Apple, Google, Nvidia, Cisco, JPMorgan, plus around 40 other critical infrastructure organizations.
Mythos has identified thousands of zero-day vulnerabilities across major operating systems and browsers, with working exploits on first attempt in over 83% of cases. The Pentagon is deploying Mythos across federal infrastructure while simultaneously transitioning off Anthropic. The new disclosure rules turn the prior wall between Glasswing and the outside world into a one-way mirror.
The 50-org partner pool now controls when and how findings flow downstream, what counts as a responsible patching window, and which open source maintainers get notified first.
Best for anyone tracking AI security policy, vendor risk, and how controlled-access AI programs actually work in practice. Not ideal for readers who haven’t been following the Mythos rollout.
Two months in, Anthropic finally cracked open the Mythos NDA.
Well, the thing that was never officially an NDA.
What Actually Changed on Monday
Anthropic told Reuters it’s revising its position on Mythos disclosure. Project Glasswing partners can now share vulnerability findings with security teams at other companies, industry bodies, regulators, government agencies, open source maintainers, the media, and the public. Subject to responsible disclosure norms, obviously. But broadly. The list reads like a wishlist.
The official line from the company: “While there was never a specific Glasswing NDA, confidentiality protections were something partners asked for at the outset and were built into agreements partners signed.” Read that twice. Translation: the agreement that wasn’t an NDA, which we built because partners asked for it, is now being loosened because the program has matured.
The reason it matured is the same reason the original confidentiality existed. Mythos has been finding things. According to Anthropic’s own disclosures, it’s identified thousands of zero-day vulnerabilities across major operating systems and browsers, and developed working exploits against them on first attempt in more than 83% of cases. That’s per The Next Web’s writeup on Monday.
The 50-Org Defender Pool
The Project Glasswing partner roster runs deep. AWS, Apple, Google, Microsoft, Nvidia, Cisco, JPMorgan. Plus a wider group of around 40 additional organizations that build or maintain critical software infrastructure. Anthropic calls it controlled access. The reality is closer to a tiered information system.
Inside the program: thousands of zero-day findings, working exploits, model access, briefings.
Outside the program: whatever your security team can patch with the public CVE feed.
Until Monday, that gap was a wall. The new disclosure rules turn the wall into a one-way mirror. Partners can now look out and tell people what they’re seeing. But the rest of the world still can’t look in.
That’s not closing the asymmetry. That’s expanding it. The 50 orgs that already had the defender’s view of Mythos now control what flows downstream and at what speed. Their patching windows, their disclosure timelines, their definitions of “responsible.” Everyone else’s security posture is now downstream of decisions being made inside a private cybersecurity intelligence club.
Anthropic’s framing has consistently been that this gives defenders a head start on the inevitable adversary use of comparable capabilities. The new rules don’t change that framing. They just hand the head start to whoever the partners feel like calling first.
The Pentagon Situation Tells the Whole Story
Here’s the part nobody is leading with. The Pentagon is deploying Mythos to find and patch software vulnerabilities across the U.S. government. While simultaneously racing to complete a transition away from Anthropic itself.
So the same Defense Department that slapped Anthropic with a formal supply chain risk designation is now running its government-wide vulnerability scanning on the model from the company it’s trying to drop. That’s the operational posture in 2026. Use the tool, lose the vendor.
It’s also a tell. The Pentagon isn’t waiting for the disclosure rules to loosen. It’s already inside. Government banks, financial regulators, the White House meetings with Dario Amodei, the Bank of England briefing the Financial Stability Board on what Mythos found in financial services infrastructure. The information was already flowing. The disclosure reversal is just the part that’s now legal to write down.
What the Glasswing 50 Get That You Don’t
Run through what a Glasswing partner has on May 19, 2026.
A model trained to find zero-days at a rate no human team can match. A list of specific vulnerabilities in the products they ship. Working exploit code for those vulnerabilities so they can confirm severity before patching. A network of 49 other organizations with the same view, sharing findings under coordinated timelines. A direct line to Anthropic for technical support. And now, the ability to release findings to outside parties on whatever schedule benefits them.
Run through what a non-Glasswing org has on the same date.
The public CVE feed.
Anthropic’s positioning paper says the controlled access gives defenders a head start. Mathematically that’s true. The head start is the gap between when a Glasswing partner discovers a vulnerability and when a non-partner reads about it on a security blog. The new disclosure rules don’t shrink that gap. They formalize it.
The Responsible Disclosure Loophole
The whole framework rests on “responsible disclosure norms.” Reasonable patching windows. Constraints on weaponisable detail. Coordination with vendors.
What “reasonable” means is being decided inside a 50-org club.
A 90 day patching window is reasonable when you have the patch. It’s a 90 day open window when you don’t. A constraint on weaponisable detail is fine when the detail flows freely inside the program. It’s a black box when you’re outside it. Vendor coordination works when the vendor is in the room. It doesn’t when the vendor is the one who got owned.
The mechanism critics have been pressing on for two months isn’t that Anthropic built Mythos. It’s that the people deciding how Mythos findings get released are the same people benefiting from getting them first. Monday’s announcement didn’t fix that. It scaled it.
What Happens Next
Watch three things.
First, whether the Financial Stability Board briefing Anthropic is preparing produces a public report or stays inside the FSB’s restricted track. Bank of England Governor Andrew Bailey requested it. The output of that briefing is the first test of whether the new disclosure rules actually expand the information set or just formalize the private one.
Second, watch which open source maintainers get findings first. Anthropic’s spokesperson said partners can share with maintainers under responsible disclosure norms. The order in which maintainers get notified is the new asymmetry. Linux kernel before OpenBSD before glibc before some indie crypto library. Pick the right project, get the patch. Pick the wrong one, get the post-mortem.
Third, watch the Pentagon. The Defense Department is running Mythos across federal infrastructure while transitioning off Anthropic. That transition has to land somewhere. Whatever model the Pentagon picks to replace Mythos becomes the next Glasswing. Which means the next 50-org club. Which means the next disclosure asymmetry, with the same structural problem, on a different vendor.
The Mythos rollout was always a preview of what controlled access to frontier capabilities looks like in practice. Monday’s announcement is the part of the rollout where the program admits that controlled access can’t stay controlled forever. The question is just who gets to control how it leaks.
Which on the current evidence is the same 50 orgs that controlled it before.
