Anthropic posted a blog yesterday giving an update on their Project Glasswing efforts to find, report, and disclose vulnerabilities in a wide range of software: https://www.anthropic.com/research/glasswing-initial-update
In it, they link to their new disclosure dashboard at: https://red.anthropic.com/2026/cvd/ It currently says: "As of May 22, 2026, we've disclosed 1,596 vulnerabilities across 281 open source projects. To our knowledge, 97 of these have been patched. Of those, 88 have been assigned a Common Vulnerabilities and Exposure (CVE) record or a GitHub Security Advisory (GHSA). In other cases, maintainers have shipped a fix without publishing an advisory. The number of vulnerabilities we've disclosed is a subset of the total number of vulnerabilities that Mythos Preview has found, since the process of independent human triage and review is the rate limiting step." In their chart below that, they clarify that in this case, "disclosed" means "reported to maintainers", not made public. They include a list of identifiers of their reports (currently up to 1611 entries), but do not show the project name or bug type until the project has fixed the bug. They also include lists of CVE's and GHSA's that have been published for the issues they've found. The CVE list currently includes CVE's from nginx, jq, wolfSSL, and more. The GHSA list includes libyang, mastodon, freerdp, and more. -- -Alan Coopersmith- [email protected] Oracle Solaris Engineering - https://blogs.oracle.com/solaris [Disclaimer: while my employer is identified in the blog post as a partner, I am not personally involved with Project Glasswing, and know nothing more about it than what has been publicly disclosed.]
