WASHINGTON—In just a matter of months, the cost of finding and exploiting a software vulnerability has collapsed. Frontier AI labs are now surfacing flaws in the open-source code that underpins nearly all modern software at a pace and volume that exceed anyone’s ability to triage them.
Take Anthropic’s new “safeguarded” version of its Mythos model that was released last week under the name Claude Fable 5, before the administration’s decision to apply export control directives to the model led Anthropic to disable customer access. As the company publishes performance results and additional research, eye-popping figures continue to emerge. Anthropic reports that the model has scanned more than one thousand open-source projects and surfaced what it estimates to be 6,202 high- or critical-severity vulnerabilities out of 23,019 total findings. Its public disclosure dashboard shows 1,596 vulnerabilities reported across 281 projects, with only ninety-seven patched so far.
Instead of focusing efforts on surfacing vulnerabilities, open-source projects and companies that support them are now shifting their efforts to handling a new influx of findings.
Open-source under pressure
Open-source software—characterized by freely available and publicly accessible source code—is both ubiquitous and critical. It would be difficult, if not impossible, to identify a single piece of software or website used in daily life that does not rely in some way on open-source code.
The Heartbleed flaw in OpenSSL and the Log4Shell vulnerability each demonstrated how a single defect in a widely reused component can cascade across the entire ecosystem.
But in the past few months, the difficulty of discovering and taking advantage of those flaws has plummeted.
Anthropic partnered with Mozilla and used Claude Opus 4.6 to find a vulnerability in the Firefox browser’s JavaScript engine in just twenty minutes. Since then, its model has improved at writing code that exploits discovered or patched vulnerabilities. Just this week, Anthropic’s security team reported that Mythos Preview turned recently disclosed Firefox and Windows kernel vulnerabilities into working exploits in hours, at an estimated cost of roughly two thousand dollars per exploit.
Maintainers of open-source projects and software companies now contend with a flood of reports, both from Anthropic and other security researchers. To separate dangerous weaknesses from benign bugs, developers must comb through each submission and assess its severity.
The lead developer of curl, an open-source command-line tool and library for transferring data, recently stated that the rate of security reports has doubled over the past year. That surge is now pushing open-source maintainers and enterprises to the edge of their capacity, as their bug-bounty programs struggle to keep pace with the volume of findings and rewards for external researchers lag behind the speed of disclosure.
Beyond code-level fixes
Addressing this challenge will require moving beyond vulnerability counts and security advisories to a more holistic view of project security.
Efforts such as OpenSSF’s Scorecard examine the history of an open-source project’s code to assess indicators such as the cryptographic process used in version releases, whether maintainers contribute from multiple organizations, and whether automated security tooling is in place. Data-driven assessments like Scorecard can serve as the foundation for further research and inform projects that investigate the effects of funding on project security practices.
By contrast, efforts to secure the open-source ecosystem entirely through identifying and disclosing vulnerabilities—while ignoring the health of open-source projects and their ability to respond—are likely to fail.
Self-replicating malicious packages have affected open-source package registries, including the September 2025 Shai-Hulud and June 2026 Miasma attacks. These incidents target the infrastructure used to update and release code, including maintainer accounts, rather than code vulnerabilities within specific packages.
According to Palo Alto Networks Unit 42, recent incidents—some potentially involving AI-generated malware—have affected tens of thousands of open-source repositories and can lead to the compromise of cloud services, ransomware attacks, data theft, and follow-on attacks. According to an OpenAI disclosure, the Axios software supply chain attack, linked to North Korean threat actors, affected a developer tool used at OpenAI in April 2026. This could have enabled abuse of the certificate used to verify OpenAI’s software on macOS. OpenAI was also potentially affected by the mini Shai-Hulud incident in May 2026.
AI companies must help protect the open-source ecosystem
So how can the organizations unleashing this flood of security reports help the open-source ecosystem triage them—and handle ongoing attacks?
Financial commitments are a genuine start. In March 2026, the Linux Foundation announced $12.5 million in grants from Anthropic, AWS, GitHub, Google, Google DeepMind, Microsoft, and OpenAI, to be managed by Alpha-Omega and the Open-Source Security Foundation, specifically to enable maintainers to triage and remediate the influx.
The Linux Foundation and its subsidiaries do excellent work, and other efforts such as the Open Source Technology Improvement Fund and GitHub’s Secure Open Source Fund should receive similar support. The most useful interventions will build on these organizations’ efforts and long-standing projects like Google’s OSS-Fuzz, which has run continuous fuzzing for critical projects since 2016.
Further interventions in the open-source ecosystem should be guided by two principles: transparency and restraint.
The public deserves to have access to data on the security experiments frontier AI labs are running on open-source projects. Anthropic’s coordinated vulnerability dashboard is a good start, but only twenty-seven of 1,611 entries have had their details revealed in the two months since the company’s announcement of new cybersecurity capabilities.
Organizations making sweeping claims should provide clear evidence that can inform guidance and policy for the security community, funders, and policymakers. Details about the vulnerability types, the relative security of different kinds of open-source projects or language ecosystems, the cost of vulnerability discovery, and the cadence of maintainer interactions could be aggregated and anonymized without compromising the industry-standard ninety-day disclosure window. If released earlier, this data could have helped shape reporting and analysis on the potential implications of new AI capabilities ahead of the Trump administration’s recent executive order on AI.
Moreover, frontier labs should exercise restraint and avoid turning open-source ecosystems into de facto testbeds for vulnerability discovery for their own sakes. Finding and disclosing flaws in code should contribute to the security of a codebase and ecosystem, rather than function as leverage to win enterprise contracts.
Using external security companies to verify findings before reporting them to maintainers and prioritizing disclosure of actively exploited vulnerabilities are useful steps. But organizations such as Anthropic and OpenAI should go further, building a scaffolding of support around the open-source community.
From fragile foundations to durable safeguards
Unfortunately, that scaffolding will have to be erected on an already strained foundation, as US institutions responsible for tracking vulnerabilities are facing historic backlogs and limited resources.
Providing infrastructure, guidance, and direct support to maintainers and developers would not only strengthen open-source security—it would also reduce risk for AI companies themselves, as supply-chain attacks demonstrate.