Disclosure at machine speed: lessons from the first AI vulnerability ledger
Anthropic's coordinated-disclosure ledger, analysed by VulnCheck on June 9, 2026, shows AI surfacing 23,019 candidate bugs while just 1,596 reached maintainers — a preview of coordinated disclosure under machine-speed discovery.
What is this?
In February 2026, Anthropic began using an early snapshot of its Claude Mythos Preview model to find security flaws in open-source software, then published a public coordinated vulnerability disclosure (CVD) ledger to track what it disclosed. On June 9, 2026, VulnCheck’s Patrick Garrity analysed that ledger, and the numbers tell a story that goes well beyond one company: AI-assisted discovery generates candidate vulnerabilities far faster than the human process of triage, disclosure and patching can absorb them.
This is not a vulnerability and not an attack. It is the first public, auditable example of what coordinated disclosure looks like when the discovery side is automated — and a preview of a strain the whole ecosystem is about to feel. It sits alongside our coverage of the first CVE wave and AI-authored zero-days.
How it works
Anthropic’s pipeline has a wide funnel and a narrow neck. Per the ledger snapshot dated May 22, 2026:
- 23,019 candidate findings were surfaced by the model.
- 1,900 were reviewed by one of six external security research firms; 1,726 were confirmed valid (a 90.8% true-positive rate on what was reviewed).
- 1,596 findings were actually reported to maintainers across 281 projects — 467 validated-and-reported, plus 1,129 sent directly at maintainers’ request without independent triage.
- 1,451 were acknowledged, 97 were patched upstream, and 88 received a CVE or GitHub Security Advisory.
To preserve priority without leaking detail, every disclosed finding still inside its window is published as a SHA-3-512 hash commitment of the sealed report — proof the finding existed on a given date without revealing it. Anthropic’s CVD policy (updated March 6, 2026) sets a 90-day default disclosure window, a 45-day wait after a patch before full technical detail, a 14-day extension on request, a 7-day clock for actively exploited bugs, and deference to the maintainer on severity.
Why it matters
The bottleneck is human, and the math is unforgiving. VulnCheck notes that reaching 1,596 maintainers — about 6.9% of the candidate pool — took roughly 60 days; at that pace, clearing the backlog would take on the order of 2.4 years. Meanwhile the disclosure clock keeps running: Garrity counted 10 findings already past the 90-day deadline with 168 more reaching it within 30 days, against a ledger that had not visibly advanced since launch. The risk is structural — if one AI-assisted researcher can find these bugs, so can another, including adversaries, well before an overloaded coordination process gets to them.
Two data-quality wrinkles compound it. First, CVE mapping is incomplete: VulnCheck found only 14 ledger entries carried a CVE despite all of them having one, which makes the public record hard to correlate. Second, the model over-rates severity: Anthropic’s own severity-agreement matrix shows 58.7% exact agreement with external firms (94.4% within one band), with Claude skewing high because it lacks project-specific severity context at run time. Bruce Schneier framed the broader stakes on June 1, 2026, surfacing Melissa Hathaway’s argument that responsible disclosure can no longer be a reactive, fragmented process. This rhymes with the governance pressure we saw in the Fable 5 / Mythos 5 suspension and the Claude-credited CVEs at Apple.
Defenses
The lesson is for defenders who consume disclosure, not just those who produce it.
- Maintainers and PSIRTs: set an intake pace and demand triage. Anthropic’s policy already commits to not flooding a single project and to human-reviewing before reporting; hold any AI-assisted reporter to that. Treat un-triaged, direct-disclosure findings as candidates, not confirmed bugs.
- Don’t trust AI-assigned severity. Re-score every finding with your own CVSS vector and threat model. A model rating bugs “critical” without project context will inflate your queue and misdirect remediation.
- Correlate by CVE/GHSA, not vendor IDs. Where a ledger omits the CVE, map it yourself (the public records exist) so the same bug reported by multiple AI tools doesn’t become duplicate work.
- Plan for collision and backlog. Expect independent AI-assisted researchers to find the same flaws; prioritise patch deployment over waiting for a single coordinator. Assume some valid findings will sit undisclosed past 90 days.
- Invest in the remediation side. Discovery is now cheap; validated triage, coordination and automated patching are the scarce resources. Fund those, and treat the published ledger as a starting point to verify against — not as a finished record.
Status
| Item | Value |
|---|---|
| Subject | Anthropic coordinated-disclosure ledger (Claude Mythos Preview) |
| Snapshot | May 22, 2026 |
| Candidates → reported | 23,019 → 1,596 (across 281 projects) |
| Patched / advisories | 97 patched · 88 CVE/GHSA |
| Severity agreement | 58.7% exact, 94.4% within one band (n=463); model skews high |
| Independent analysis | VulnCheck (Patrick Garrity), June 9, 2026 |
| Policy window | 90 days default · 45 days post-patch · 14-day extension · 7-day if exploited |
| Status | Process/governance observation — no exploit, no actionable payload |