upvote

points

by amusingimpala751 days ago |
comments
upvoteby Smaug1231 days ago|
next
[-]
> So far, Mythos Preview has found what it estimates are 6,202 high- or critical-severity vulnerabilities in these projects (out of 23,019 in total, including those it estimates as medium- or low-severity).

> 1,752 of those high- or critical-rated vulnerabilities have now been carefully assessed by one of six independent security research firms, or in a small number of cases by ourselves. Of these, 90.6% (1,587) have proved to be valid true positives, and 62.4% (1,094) were confirmed as either high- or critical-severity. That means that even if Mythos Preview finds no further vulnerabilities, at our current post-triage true-positive rates, it’s on track to have surfaced nearly 3,900 high- or critical-severity vulnerabilities in open-source code

reply
upvoteby extr1 days ago|
prev|
next
[-]
Did you RTFA?
reply
upvoteby rbranson1 days ago|
prev|
next
[-]
I don't know why you're getting downvoted. This is exactly what was reported by curl's creator under the section "Five findings became one": https://daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-v...
reply
upvoteby Smaug1231 days ago|
parent|
next
[-]
I think it's more that the requested information is prominently featured in the article, and indeed is the content of the only graphic in the article below the intro banner.
reply
upvoteby the_mitsuhiko23 hours ago|
parent|
prev|
next
[-]
And yet [1]:

> Not even half-way through this #curl release cycle we are already at 11 confirmed vulnerabilities - and there are three left in the queue to assess and new reports keep arriving at a pace of more than one/day.

> 11 CVEs announced in a single release is our record from 2016 after the first-ever security audit (by Cure 53).

> This is the most intense period in #curl that I can remember ever been through.

[1]: https://www.linkedin.com/feed/update/urn:li:activity:7463481...

reply
upvoteby hiharryhere23 hours ago|
parent|
[-]
He’s talking about AI scanning tools collectively, not specifically Mythos.

If you read his own top comment on that LinkedIn post he clarifies:

“The simple reason is: the (AI powered) tools are this good now. And people use these tools against curl source code.They find lots of new problems no one detected before. And none of these new ones used Mythos. Focusing on Mythos is a distraction - there are plenty of good models, and people who can figure out how to get those models and tools to find things.”

reply
upvoteby the_mitsuhiko22 hours ago|
parent|
[-]
Sure. But Mythos or not, the developments since that post was written, legitimate 11 more vulnerabilities have been found by AI tools.
reply
upvoteby toraway22 hours ago|
parent|
[-]
Wait, 11 vulnerabilities were discovered entirely in the timeframe after Mythos found 1? That seems like it would effectively debunk the theory that curl was so uniquely hardened that only 1 vulnerability even existed for Mythos to find, which I read numerous times back on the HN thread for the curl/Mythos blog post.
reply
upvoteby thombles22 hours ago|
parent|
[-]
As one of those commenters on the previous post - yep, that theory appears to have been comprehensively trounced. Unless anything comes to light that mythos was applied poorly to curl, the evidence suggests that it’s not uniquely effective vs other AI-assisted approaches. I’ll be interested to see what’s reported in the next curl release.
reply
upvoteby wiwiwq1 days ago|
parent|
prev|
[-]
[flagged]
reply
upvoteby RamRodification1 days ago|
prev|
[-]
This is marketing. So probably suspected. Or somewhere in between.
reply