#Mythos finds a #curl vulnerability
yes, as in singular one.
https://daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-vulnerability/
Timeline
Post
Remote status
Context
1
AI powered code analyzers are significantly better at finding security flaws and mistakes in source code than any traditional code analyzers did in the past
I’m not sure this follows from what you’ve said in the rest of the post. Static analysers and fuzzers also made it very easy for people to find vulnerabilities and typically found a lot when they were deployed for the first time. And both were a lot cheaper to run than something like Mythos.
They aren’t finding as many vulnerabilities now because projects that are critical for security are integrating them into their CI flows.
And this is what always happens with some new technique: valgrind, Coverity, sanitisers, fuzzers, and so on: they’re released, they find a load of bugs that existing techniques failed to find, people fix them, they get integrated into regular CI runs, and the kinds of bugs that those tools find never make it into the tree.
Syskaller, for example, has found a lot more bugs in the Linux kernel than any Anthropic tools. And that’s just one fuzzing tool.
Replies
1
@david_chisnall @bagder how much does Coverity's licensing cost? I don't care about the free service they offer for open source projects (which is really just making open source the QA / "training")
All I know is that you have to contact their sales because they don't offer any public pricing at all which is the typical red flag that you're going to be spending a LOT to give access to that tool to your whole company.
All I know is that you have to contact their sales because they don't offer any public pricing at all which is the typical red flag that you're going to be spending a LOT to give access to that tool to your whole company.