On 2026-04-10, 山卡洛 <[email protected]> wrote:
> --000000000000f6a5ef064f17447a
> Content-Type: text/plain; charset="UTF-8"
>
> what does the OpenBSD team think about this:
> https://red.anthropic.com/2026/mythos-preview/
"Over 99% of the vulnerabilities we've found have not yet been
patched, so it would be irresponsible for us to disclose details
about them"
they're going to run into a lot of that. as if it wasn't bad enough
before, many projects are receiving reports of *very* variable quality,
some of which are valid, others are complete nonsense, having to
separate truth from fiction, evaluate fixes, make sure they don't cause
unintended side effects (proposed fixes often not being done with good
understanding of the software involved).
"We have contracted a number of professional security contractors to
assist in our disclosure process by manually validating every bug
report before we send it out to ensure that we send only
high-quality reports to maintainers."
good for them - those maintainers however also have to deal with less
ethically done reporting from people trying to build up a portfolio of
cve numbers.
> specifically: does the claim appear valid (as in: it has potential to find
> a third hole in a hack of a long time)?
maybe
> if yes, would an automated code audit make sense?
it is safe to assume that a bunch of people are already doing various
automated code audits using various methods, for various different
purposes
> if yes, did you receive access?
if I understand correctly for this particular system, they are only
sharing with certain specific partner orgs (looks like all USA based).
--
Please keep replies on the mailing list.
