FOSS just passed Mythos' stress test

TL;DR: In April, Anthropic announced an AI model called Mythos that had reportedly found thousands of serious security bugs in every major operating system and web browser. The reaction was loud: The Bank of England warned regulators it could “crack the whole cyber risk world open”, US Treasury called in the big banks, NHS England closed all its public code repositories inside two weeks. Five weeks on, the dust has settled and the picture looks different: Independent reviewers pulled the headline numbers apart. The creator of curl, one of the most widely used open-source tools in the world, ran the Mythos report against his own code and found it had identified one minor flaw, calling the hype “primarily marketing”. 99% of Mythos’s claimed findings remain unpublished and unverified. What did happen in those five weeks is that the open-source world fixed and disclosed its share of the bugs publicly, in the open, on commit logs anyone can read. That is open source working as it is supposed to, so don’t call open-source a liability. The lesson for our administrations is the opposite of NHS England’s. Closing your code does not make you safer. Funding the open ecosystem you already depend on, and using similar AI tools defensively on your own code, does.

# The picture has rebalanced

On 7 April 2026, Anthropic announced Project Glasswing and Claude Mythos Preview. The claim: thousands of high- and critical-severity zero-day vulnerabilities, including in every major operating system and every major web browser. Within a week, the institutional reaction was unprecedented. Bank of England Governor Andrew Bailey named Mythos by name in a speech at Columbia University on 15 April, telling regulators that Anthropic “may have found a way to crack the whole cyber risk world open”. US Treasury Secretary Scott Bessent and Fed Chair Jerome Powell summoned the CEOs of the largest American banks to an unannounced meeting. UK Finance, FCA, HM Treasury and the National Cyber Security Centre convened the eight largest UK banks. On 29 April, NHS England issued internal directive SDLC-8 ordering the closure of all public source code repositories, with a compliance deadline of 11 May, less than two weeks later.

Five weeks on, the data has come in. The picture is more rebalanced than the April reaction allowed for.

VulnCheck analysed Microsoft’s 14 April Patch Tuesday, which addressed 164 CVEs and was the second-largest on record. Only one CVE in that disclosure was directly attributable to Project Glasswing. VulnCheck’s conclusion was straightforward: “Mythos and Project Glasswing were only made public earlier this month, far too recently to have had much impact on the Patch Tuesday update.” Across the full CVE database, VulnCheck researcher Patrick Garrity identified 75 records mentioning Anthropic, of which 40 were actually credited to Anthropic researchers. Only one of those, CVE-2026-4747 (a FreeBSD NFS remote code execution flaw), is explicitly attributed to Project Glasswing itself.

On 11 May, Daniel Stenberg, lead developer of curl, published his review of a Mythos scan of the curl codebase. The scan was conducted under Project Glasswing through the Linux Foundation’s Alpha-Omega initiative. The report claimed five “confirmed security vulnerabilities” across 176,000 lines of C code. After review by Stenberg and the curl security team, the list trimmed to one low-severity flaw, scheduled for the 8.21.0 release in late June. Three of the four removed findings were false positives describing behaviour documented in curl’s API. The fourth was a non-security bug. Stenberg’s conclusion: the hype was “primarily marketing”. For context, prior AI-assisted analysis of the same codebase using Zeropath, AISLE and OpenAI Codex Security had produced 200 to 300 bugfixes over the previous eight to ten months, of which more than a dozen were confirmed CVEs.

Anthropic itself states that over 99% of Mythos’s findings remain unpatched, with details under coordinated disclosure embargo.

The public attributions to date are heavily weighted toward FOSS targets: OpenBSD’s 27-year-old TCP SACK bug, the 16-year-old FFmpeg H.264 flaw, Linux kernel privilege-escalation chains, FreeBSD CVE-2026-4747. Closed-source findings are still embargoed, with cryptographic commitment hashes published in place of details.

On the current evidence, the Mythos episode is a demonstration of FOSS speed under pressure. Triage, patching and public attribution have happened on the open side within weeks of disclosure. The right reading for Belgian administrations is to invest in that ecosystem, not retreat from it.

# Why FOSS moved this fast

The visible speed advantage is not luck. It is the product of accumulated community infrastructure.

Public commit logs let any operator track a patch the moment it lands. Open CVE assignment lets any researcher request an identifier for a FOSS bug. Mature coordinated vulnerability disclosure (CVD) practice means maintainers know how to triage, coordinate and publish. Multiple parties can verify and contribute to fixes. Decades of community experience with disclosure timelines means there is institutional muscle memory.

The relevant comparison is Anthropic’s own CVD policy, accurately stated: a 90-day default disclosure deadline (or patch release, whichever comes first); a 14-day extension where the maintainer is engaged and making progress; a 7-day compressed timeline for actively exploited critical vulnerabilities; and a separate 45-day post-patch hold for full technical details. FOSS routinely beats those numbers by an order of magnitude. OpenBSD’s TCP SACK patch landed within days of Mythos disclosure. The FreeBSD NFS CVE was published with patches in the same cadence.

None of this infrastructure is free, and the funding implications come back in section 5.

# NHS England read the moment backwards

NHS England’s SDLC-8 directive was issued on 29 April with an 11 May compliance deadline. The closure ran ahead of VulnCheck’s analysis, ahead of Stenberg’s curl review, and ahead of even one full Patch Tuesday cycle that could let the public picture rebalance.

The directive treated FOSS visibility (commit logs, public CVE attributions, named maintainer disclosures) as FOSS vulnerability. It is an understandable reading from inside an institution that does not work natively in the FOSS ecosystem. It is the wrong reading.

Closure addresses neither the actual threat surface (which AI has accelerated for both sides of the disclosure line) nor the visibility asymmetry (which is structural to how open and closed disclosure mechanics differ, not evidence of bug-count asymmetry). The right move is to fix the perspective, not retreat further from it.

# Resonance

The institutional response inside the UK is contested. The open letter at Keep Things Open calls on NHS England to withdraw SDLC-8 and reaffirm its commitment to the NHS Service Standard, whose Principle 12 already requires new source code to be open by default. As of mid-May, the letter has gathered 2,098 signatures since 1 May 2026, many from contributors to UK public-sector software. A separate petition has been filed on the UK Parliament site. The Free Software Foundation Europe issued its own statement on 4 May, drawing the same conclusion from a different starting point: “Public Money? Public Code!”, the Keep Things Open letter leans on NHS England’s own existing guidance, while we focus on the five weeks of evidence. Three narratives reaching the same conclusion.

# FOSS done right: what the working examples show

The pattern of investing in FOSS infrastructure rather than retreating from it has been visible for some time, and the working examples are concrete.

In Wallonia, iMio is an inter-municipal IT cooperative serving roughly 90% of Walloon municipalities on a shared FOSS stack (Plone, Django, Odoo). Forty technicians, financial autonomy from regional subsidies since 2021. A patch written for one of around 250 municipalities is available to the other 249. Cross-operator amortisation of fixes is operational practice.

In France, DINUM runs code.gouv.fr as a state catalogue of public-sector FOSS, with a Conseil Logiciels Libres advising on practice. A managed migration of state workstations away from Windows is underway. None of this is hypothetical infrastructure.

In Germany, the Sovereign Tech Agency has invested approximately €23.5 million across more than 60 critical FOSS technologies, including Log4j, GNOME, Samba, FFmpeg and curl. The agency itself is a direct institutional descendant of the lesson from Heartbleed (2014), when OpenSSL was being maintained by two overworked developers on annual donations under USD 2,000. The structural response to that incident was the Linux Foundation’s Core Infrastructure Initiative, which became OpenSSF. The fix to underfunded critical FOSS was money, not closure.

At EU level, Article 25 of the Cyber Resilience Act creates a specific lighter-touch regime for open-source software stewards, recognising that a public body or non-profit underwriting a FOSS project is different from a commercial vendor shipping it.

Discourse provides the operational template for AI-defensive use on a single project. Their April 2026 release patched 50 issues identified through defensive AI scans on their own codebase. Cost negligible against any serious security budget. Same models, same techniques as attacker-side use, run first by the defender on code the defender already controls.

The Mythos episode is the latest data point in a pattern. Funded community engagement produces the kind of disclosure speed visible in the public attributions on the FOSS side over the last five weeks.

# How Belgian administrations engage

Six things follow for FPS BOSA, the regional digital agencies (Digitaal Vlaanderen, paradigm.brussels, SPW Digital), iMio, Smals, and the CCB.

Treat dependencies as part of the codebase. The libraries underneath any non-trivial public-sector application are public-sector codebase in everything but accounting. Inventory the FOSS components a service depends on, and accept institutional responsibility for them. The Heartbleed pattern is still the canonical warning here.

Fund upstream. Money, code, bug reports, time. Make the spend visible as a published budget line rather than hidden as in-kind contribution. The CCB, FPS BOSA, and each regional administration should be able to point to an upstream-contribution budget. The Sovereign Tech Agency is the working model.

Build internal teams that engage with FOSS communities. This is partly a recruitment question. Developers want to ship code that gets read, and an institution that publishes its code has a recruitment advantage over one that does not. It is also a culture question. Engaging upstream takes time the procurement model has not historically priced in.

Use AI defensively. Run the same models against your own code on a schedule, with patches landing in the public commit log. Human review on AI-generated code remains non-negotiable. The 50 issues Discourse caught in a single monthly release at trivial cost is the template.

Stand up coordinated disclosure infrastructure. A published security.txt, a coordinated disclosure policy, a public advisory channel. Anthropic’s own CVD policy, stated accurately as in section 2, is a reasonable template, as is the structure used by Google Project Zero and CERT/CC. Belgian public bodies producing meaningful volumes of software should consider applying for CVE Numbering Authority status.

Use CRA Article 25 stewardship actively. Belgian public bodies should be visible stewards of FOSS projects critical to Belgian public infrastructure. The legal instrument exists; it is a matter of using it.

A note on coordination. The Mythos question is being asked across the Belgian public sector right now. FPS BOSA, iMio, Digitaal Vlaanderen, paradigm.brussels, SPW Digital and Smals are all likely to face procurement and disclosure decisions inside the same fiscal year. ENISA’s published guidance on AI in cybersecurity and the EU Open Source Observatory (OSOR) are useful coordination venues. Coordinated thinking produces better answers and offers political cover for any single administration making the right call.

# Why closure is the wrong response, briefly

Each of the points below has been argued at length elsewhere. They belong in this article as supporting material, not as the headline.

Security through obscurity has been the weakest form of security since Kerckhoffs (1883). The argument that closing the code reduces what an AI-equipped attacker can see assumes a level of code containment that does not exist in practice.

Closed source is not actually closed. Microsoft’s Government Security Program has, since 2003, provided controlled source-code access to over 40 governments and more than 100 agencies. China’s Tianfu Cup has repeatedly demonstrated working remote code execution chains against fully patched closed-source targets including Windows, iOS, Microsoft Exchange, Chrome and Safari, with no source-code access required. The LLM4Decompile family of models (EMNLP 2024) achieves 87% re-compilability of decompiled C, which is to say binary analysis is now within reach of any actor with a current model and a target binary.

The vendor controls the disclosure record. Microsoft, Apple, Oracle and Cisco are CNAs for their own products. Bug bounty programmes at major closed vendors carry NDA clauses preventing independent publication. The customer running an older version is the only party that learns nothing.

AI works for defenders too, on the same codebase the defenders already control. The Discourse data and the operational guidance from NCSC’s 30 March 2026 blog point in the same direction.

The four points are individually short here because the rebalancing in section 1 already does most of the rebutting work. The argument that the FOSS ecosystem is meaningfully more exposed under AI-accelerated discovery does not survive five weeks of contact with actual data.

# Looking forward

The remaining Mythos closed-source disclosures will arrive over the coming months, on each vendor’s own cadence. The public picture will continue to fill in. Mythos and its successors will continue to find real bugs in real code, on both sides of the ecosystem, and the defensive infrastructure has to be in place to absorb that. The capability is real even if the April marketing overshot what the first weeks of evidence have supported.

The decision that Belgian administrations face now is what to do with the institutional response time the rebalancing has bought.

Administrations that responded to the April hype by closing their repositories will be locked into vendor dependencies and visibility deficits at a moment when the data has begun to walk the headline framing back. Administrations that responded by investing in FOSS community engagement, disclosure infrastructure and defensive AI capacity will be in a stronger position regardless of how the closed-source disclosures eventually land.

The choice is between leaning in to a working ecosystem (iMio, FPS BOSA, ENISA, OSOR, OpenSSF, Sovereign Tech Agency, CRA Article 25 stewardship) and leaning out into vendor silos. The Stenberg analysis, the VulnCheck data, the 99% unpatched figure, and the public attributions weighted heavily toward the FOSS side are early signals about which choice the evidence actually supports.

BeLibre

Digital Autonomy