Navigating Mythos and Project Glasswing Findings

This FAQ addresses questions regarding Anthropic's Claude Mythos Preview and Project Glasswing, and the impact on Red Hat products.. For detailed advice, please reach out to your Account team - Solutions Architect (SA), Technical Account Manager (TAM), or Red Hat Customer Support.

Customer FAQ - Claude Mythos and Project Glasswing

What is Claude Mythos?

Claude Mythos Preview is an unreleased, frontier AI model developed by Anthropic. It is reportedly capable of autonomously discovering high-severity zero-day vulnerabilities in operating systems and web browsers. Claude Mythos Preview was officially announced 07 April 2026.

What is Project Glasswing?

Alongside the Claude Mythos Preview, Anthropic announced “Project Glasswing”, a cybersecurity defense initiative that provides its members access to the Claude Mythos Preview to uncover and fix security vulnerabilities in these companies’ products.

Are you participating in Anthropic’s Project Glasswing or using Claude Mythos?

We do not comment on specific third party security research programs or tooling.

Furthermore, our security posture does not depend on access to any single external model or initiative. Instead it relies on established secure engineering practices, centralized incident response, and continuous risk-based vulnerability management across all products and services.

Where automation or AI assisted techniques are used, they are evaluated and integrated based on effectiveness, governance, and risk controls—not brand affiliation. This ensures our security posture remains resilient as multiple organizations advance AI based cybersecurity research over time.

Is Red Hat actively reviewing and validating CVEs uncovered by Claude Mythos / Project Glasswing?

We have yet to identify any confirmed significant vulnerabilities in Red Hat’s environments. If specific CVEs emerge we will handle them through our standard vulnerability management process with appropriate severity ratings and timelines.

We have also published the blog below which covers how Red Hat Product Security is reviewing CVEs uncovered by our AI-enabled research, and how context, not unrestricted reactivity, defines how Red Hat approaches AI vulnerability scans and the risks posed even by the most advanced AI models like Mythos.

Navigating the Mythos-haunted world of platform security

Is Red Hat actively using AI to uncover security vulnerabilities in our products?

Red Hat has long held security at the forefront of its development model and intends to integrate existing and new frontier AI models to bolster our proactive approach to finding and reducing vulnerabilities in our products. Red Hat brings these technologies into our software development lifecycle and we will continue to work collaboratively with our partners and upstream communities. Our proactive security stance in the open source ecosystem, coupled with our ability to identify and remediate security vulnerabilities, is Red Hat’s value to our customers.

While we do not comment on the use of specific third party tools, models, or vendor programs, our vulnerability management program is tool agnostic by design. It leverages a combination of:

• Human security expertise
• Automated analysis and testing
• Responsible third party research
• Industry collaboration and intelligence sharing

Do AI tools such as LLMs make open source inherently more vulnerable than proprietary software?

No, AI detected vulnerabilities do not make open source more vulnerable than proprietary software. We operate under a standing assumption that security vulnerabilities will continue to be discovered—potentially at increasing speed—as analytical techniques evolve, including the use of advanced automation and AI.

Our preparedness does not depend on an external party’s access to a product’s source code. Instead, our security and engineering programs are structured to absorb industry-wide increases in vulnerability discovery, regardless of the source, and to respond through established, repeatable processes.

Key elements of this preparedness include:

• Continuous vulnerability intake from multiple sources (internal, third party, industry, and researchers)
• Risk-based prioritization aligned to business impact and exploitability
• Predefined remediation and mitigation workflows
• Coordinated disclosure practices focused on customer protection

Red Hat’s vulnerability management practices will remain effective as CVE volume continues to grow, regardless of how each flaw is discovered.

Does this mean previously secure systems are now vulnerable?

Security does not depend on the absence of vulnerabilities, but on how vulnerabilities are managed.

Red Hat’s engineering practices and our centralized Product Security Incident Response Team (PSIRT) processes are designed so that vulnerabilities—once identified—are assessed and addressed in a timely and structured manner, with appropriate fixes or mitigations issued.

What is Red Hat’s Vulnerability Management process? How does Red Hat conduct risk assessments of vulnerabilities?

We use a centralized, global vulnerability management process consistent with industry standards. Vulnerabilities may be discovered through internal testing, customer reports, third party researchers, or responsible external disclosures.

Our process follows four core stages:

1. Discovery
2. Triage (risk-based severity assessment)
3. Remediation (fixes and/or mitigations, where appropriate)
4. Disclosure (coordinated communication after analysis and remediation)

This lifecycle approach is aligned with the global framework for incident response and vulnerability handling and follows our detailed Open Approach to Vulnerability Management methodology. Our methodology outlines how Red Hat Product Security categorizes vulnerabilities and conducts risk assessments.

If AI can find vulnerabilities faster, how do you ensure timely response?

Our vulnerability response capability is designed for scale and speed. A global Product Security team coordinates investigation and remediation efforts across Red Hat product teams to ensure consistent, timely action.

The focus is not solely on how vulnerabilities are discovered, but on how efficiently and responsibly they are triaged, mitigated, and communicated once identified. Red Hat’s security remediation process means vulnerabilities are thoroughly and accurately analyzed, affected engineering teams are notified, and development work is appropriately prioritized to address vulnerabilities and provide security fixes.

Red Hat does not have a separate response model for “AI discovered vulnerabilities.” We follow our long-established model of a risk-based security approach to provide full transparency to our customers. Red Hat uses a four-point scale to describe a particular CVEs’s severity based on rigorous analysis of the flaw. We designed this scale to align closely with similar scales used throughout the industry by other vendors and upstream open source communities. The four-point scale rates vulnerabilities as Low, Moderate, Important, or Critical. In addition, when Red Hat reviews a flaw, we look at how the software is sourced, built, packaged, and deployed.

What happens if you receive a severe vulnerability report that comes from an AI or model-based discovery tool?

Red Hat assesses the severity of security vulnerabilities irrespective of technique of discovery (AI or otherwise) using our four-point scale for AI vulnerabilities which is consistent with how traditional software security flaws are rated: Low, Moderate, Important, and Critical.

Furthermore, our zero day / known exploited vulnerabilities (KEV) process exists specifically to handle urgent, high-risk discoveries—no matter how they are found. This emergency capability has been in place for years and continues to serve as the backbone of our response strategy as vulnerability discovery methods evolve.

How do I report related and potential vulnerabilities in Red Hat software?

We encourage responsible disclosure. Potential security and AI vulnerabilities can be reported to the Red Hat Product Security team by emailing secalert@redhat.com.

Further information on our disclosure policies and how to send us an encrypted email is available at https://access.redhat.com/security/team/contact/.