Mythos vs Curl

This is quite an interesting read: https://daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-vulnerability/

There’s a lot of detail in there so I recommend reading it. But some highlights from me:

Mythos raised 5 vulnerabilities total: 3 of them were false positives, 1 was a non-security bug, and the other was a low-criticality vulnerability that will be patched in their normal release cadence.

It kinda points to Mythos being overhyped by Anthropic (not surprising) as it wasn’t that much better compared to other LLMs. On the flip side, other LLMs have been blasting through these codebases and finding vulnerabilities for the past year or so and helping to ensure things are at a better baseline.

Daniel (curl maintainer) has in the past prohibited any AI-assisted patches and security issues; he also famously closed their bug bounty due to the high volume of sloppy reports he was getting. But more recently he slightly changed his stance because LLMs got better at detecting actual bugs and not reporting false positives.

For well-maintained open source software, we’ll get to a point were all the vulnerabilities will have been highlighted and it will be less likely that new and more advanced models will be able to find anything - like gold panning in California in 1855 versus today. Curl is an example of that, they were well maintained before AI, so they already had a comprehensive list of tests, static code analysis, forbidden unsafe functions, etc.

The biggest cybersecurity problems will come from the thousands of not-so-well maintained libraries out there that being pulled as transitive dependencies of your software without you realizing it.