%20--%3e%3cdefs%3e%3cstyle%3e%20.st0%20{%20fill:%20%23061b40;%20}%20.st1%20{%20fill:%20%23306af1;%20}%20.st2%20{%20fill:%20%235ce5cf;%20}%20%3c/style%3e%3c/defs%3e%3cg%3e%3cpath%20class='st0'%20d='M55,10.5h9v3h-9v9h12V7.5h-12v3ZM64,19.5h-6v-3h6v3Z'/%3e%3cpolygon%20class='st0'%20points='69%2016.5%2078%2016.5%2078%2019.5%2069%2019.5%2069%2022.5%2081%2022.5%2081%2013.5%2072%2013.5%2072%2010.5%2081%2010.5%2081%207.5%2069%207.5%2069%2016.5'/%3e%3cpolygon%20class='st0'%20points='95%2010.5%2095%207.5%2083%207.5%2083%2022.5%2095%2022.5%2095%2019.5%2086%2019.5%2086%2016.5%2095%2016.5%2095%2013.5%2086%2013.5%2086%2010.5%2095%2010.5'/%3e%3cpath%20class='st0'%20d='M40,1.5v21h11.6l1.4-1.4v-7.6h0c0,0-1.4-1.5-1.4-1.5l1.4-1.4V2.9l-1.4-1.4h-11.6ZM50,19.5h-7v-6h7v6ZM50,10.5h-7v-6h7v6Z'/%3e%3c/g%3e%3cpath%20class='st1'%20d='M23.1,24L14.7,4.8l-4.9,11.2h3.8l-1.8,4H3.3L12.1,0H2C.9,0,0,.9,0,2v20c0,1.1.9,2,2,2h21.1Z'/%3e%3cpath%20class='st2'%20d='M34,0h-16.8l10.6,24h6.2c1.1,0,2-.9,2-2V2C36,.9,35.1,0,34,0ZM32.5,20h-4V4h4v16Z'/%3e%3c/svg%3e)
Recently, Anthropic's highly anticipated AI security analysis model, Mythos, faced an unexpected "defeat" in the open-source community. Although the company had previously promoted the model's extraordinary ability to detect source code vulnerabilities, even delaying its public release, the test on the globally renowned open-source tool curl revealed a somewhat disappointing result: after a rigorous scan of 176,000 lines of code, only one low-risk vulnerability was confirmed.
The test was initiated by Daniel Stenberg, the founder of the curl project. He obtained limited testing access to Mythos through related projects, aiming to conduct a thorough "health check" for this widely used network transfer tool with over 200 billion installations. The curl codebase is known for its extremely high security engineering standards, having been meticulously refined by hundreds of contributors and continuously subjected to various automated scans and expensive professional audits.
The initial phase of the test appeared promising. Mythos' initial report claimed to have discovered "5 confirmed security vulnerabilities," but after several hours of manual verification by the curl security team, these results quickly shrank: three were determined to be false positives, simply reflecting normal behavior as described in the documentation; one was classified as a regular bug without security threats. In the end, only one vulnerability remained, rated as "low" in severity.
Regarding this outcome, Stenberg openly pointed out that Anthropic's so-called "dangerous capabilities" seemed more like a successful marketing campaign. He stated that long before Mythos, the curl team had already fixed hundreds of bugs using multiple AI security tools, and the first tools often picked up "low-hanging fruits." As the codebase became increasingly refined, it has become significantly harder for AI to uncover deep-seated new vulnerabilities.
However, Stenberg did not entirely dismiss the value of AI. He acknowledged that compared to traditional static analyzers, AI tools like Mythos have significant advantages in understanding protocol specifications, identifying discrepancies between comments and code, and simulating configuration checks in complex environments. They are more like a knowledgeable and skilled assistant, although their suggested fixes are not always 100% accurate.
This real-world test sent a warning to the industry: although AI has brought a qualitative improvement in code auditing, it can currently only detect "known types" of errors, rather than creating entirely new logic for vulnerability detection. In ensuring core security, rigorous security engineering practices—such as building defensive infrastructures and strict numerical limit restrictions—remain a more reliable "silver bullet" than AI tools.