Key Takeaways
- Anthropic has lifted the nondisclosure agreement (NDA) that previously barred Project Glasswing partners from sharing vulnerability data uncovered by its Mythos AI model.
- JPMorganChase is the sole bank among the named launch partners; the carve‑out now allows it to pass Mythos‑found flaws to community and regional banks outside the program.
- Rep. Josh Gottheimer praised the move, arguing that no entity should be contractually restrained from warning others about urgent cyber risks.
- Mythos has identified thousands of previously unknown zero‑day flaws, producing working exploits on the first attempt in > 83 % of cases; notable disclosures include 271 Firefox vulnerabilities and 26 Palo Alto Networks flaws.
- U.K. regulators have issued a statement urging financial firms to take “active steps” against AI‑driven cyber threats, while no comparable U.S. financial‑regulator guidance has been released.
- Anthropic committed to a public report on Glasswing findings within 90 days of the April 7 launch, with the deadline set for July 6.
Overview of Project Glasswing and the NDA Carve‑out
Anthropic’s Project Glasswing, launched on April 7, is a collaborative cybersecurity initiative that brings together more than 40 organizations—including major technology firms, academic institutions, and a single bank, JPMorganChase—to test and improve the security of widely used software using Anthropic’s Mythos model. Initially, participants were bound by a nondisclosure agreement that restricted the sharing of any vulnerability information uncovered by Mythos. According to Reuters reporting, Anthropic has now removed that NDA restriction, permitting partners to disseminate Mythos‑surfaced findings to regulators, industry peers, open‑source maintainers, and the public. The change took effect the same day Representative Josh Gottheimer issued a letter urging Anthropic to make exactly this adjustment.
Gottheimer’s Advocacy and the Push for Open Sharing
Rep. Josh Gottheimer (D‑N.J.), co‑chair of the House Democratic Commission on AI and the Innovation Economy, sent a letter to Anthropic CEO Dario Amodei pressing for the NDA carve‑out. In his correspondence, Gottheimer argued that “no entity should be contractually restricted from warning others, coordinating mitigations, or informing relevant and trusted stakeholders about urgent cyber risks.” He illustrated the point with a hospital‑and‑utility analogy: a large organization with Mythos access should be free to alert smaller peers that run the same critical systems. Gottheimer also called on OpenAI to adopt a similar openness policy for its Trusted Access for Cyber program, which grants vetted researchers expanded access to OpenAI’s most cyber‑capable models for defensive work.
Impact on Community and Regional Banks
JPMorganChase stands out as the only bank explicitly named among Glasswing’s launch partners. Prior to the NDA removal, any vulnerability data that Mythos generated could not be shared beyond the consortium, leaving smaller banks that rely on the same software stacks unaware of emerging threats. With the carve‑out in place, JPMorgan (and other partners) can now transmit Mythos‑identified flaws to community and regional banks that are not part of Glasswing. This flow of intelligence is expected to improve the overall resilience of the financial sector by enabling smaller institutions to patch critical weaknesses before attackers can exploit them.
Mythos’ Vulnerability Discovery Performance
Anthropic’s internal red‑team testing shows that Mythos identifies thousands of previously unknown zero‑day vulnerabilities across major operating systems and browsers, and it produces a working exploit on the first attempt in more than 83 % of cases. Specific disclosures underscore the model’s potency: Mozilla reported that Mythos surfaced 271 Firefox vulnerabilities, all of which were patched in Firefox 150 released on April 21. Palo Alto Networks issued a May 13 advisory detailing 26 vulnerabilities covering 75 individual software defects—a volume far above its typical monthly average of fewer than five—and noted that none of the flaws had yet been observed in the wild. These results illustrate how AI‑driven vulnerability discovery can outpace traditional manual methods in both speed and scale.
U.K. Regulatory Expectations on AI‑Driven Cyber Risk
Three days before the Anthropic carve‑out, the Bank of England, the Financial Conduct Authority (FCA), and HM Treasury issued a joint statement urging U.K. financial firms to take “active steps” against the cybersecurity risks posed by frontier AI models. The regulators warned that the cyber capabilities of current frontier AI models already exceed what a skilled human practitioner could achieve, operating at greater speed, scale, and lower cost. They highlighted five action domains: governance and strategy, vulnerability identification and risk management, third‑party risk, protection, and response and recovery. A footnote clarified that the statement consolidates existing operational‑resilience guidance rather than imposing new rules, and it pointed firms to a May 1 National Cyber Security Centre blog post warning of an imminent “patch wave” driven by AI‑aided vulnerability discovery.
Contrast with U.S. Financial‑Regulator Guidance
Unlike their U.K. counterparts, U.S. financial regulators have not yet published comparable expectations or statements regarding AI‑induced cyber threats. The absence of formal guidance leaves American banks to rely on voluntary initiatives such as Project Glasswing and industry best practices. While the recent NDA carve‑out aligns with the spirit of proactive information sharing advocated by U.S. lawmakers like Gottheimer, the lack of a coordinated regulatory framework may result in uneven preparedness across institutions, particularly smaller banks that lack the resources to independently monitor AI‑driven vulnerability feeds.
Timeline for Public Reporting and Next Steps
Anthropic’s Glasswing launch page pledged to “report publicly on what we’ve learned” from the program within 90 days of its April 7 inception. Consequently, a public summary is expected by July 6. This upcoming report will likely detail the aggregate findings of Mythos, the effectiveness of the NDA carve‑out in facilitating information flow, and any lessons learned about collaboration between large banks, technology firms, and regulators. Stakeholders across the financial and cybersecurity communities will be watching closely to assess whether the increased transparency translates into measurable improvements in patch timelines, exploit mitigation, and overall systemic resilience.