| ▲ | amusingimpala75 5 hours ago |
| [edit: TFA addresses this, though I still find crazy 90% accuracy overall vs 20% accuracy for curl] Is this suspected vulns or actual vulns? If I recall correctly, it produced 5 for curl but only 1 was legit |
|
| ▲ | Smaug123 5 hours ago | parent | next [-] |
| > So far, Mythos Preview has found what it estimates are 6,202 high- or critical-severity vulnerabilities in these projects (out of 23,019 in total, including those it estimates as medium- or low-severity). > 1,752 of those high- or critical-rated vulnerabilities have now been carefully assessed by one of six independent security research firms, or in a small number of cases by ourselves. Of these, 90.6% (1,587) have proved to be valid true positives, and 62.4% (1,094) were confirmed as either high- or critical-severity. That means that even if Mythos Preview finds no further vulnerabilities, at our current post-triage true-positive rates, it’s on track to have surfaced nearly 3,900 high- or critical-severity vulnerabilities in open-source code |
|
| ▲ | extr 5 hours ago | parent | prev | next [-] |
| Did you RTFA? |
|
| ▲ | rbranson 5 hours ago | parent | prev | next [-] |
| I don't know why you're getting downvoted. This is exactly what was reported by curl's creator under the section "Five findings became one": https://daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-v... |
| |
| ▲ | Smaug123 5 hours ago | parent | next [-] | | I think it's more that the requested information is prominently featured in the article, and indeed is the content of the only graphic in the article below the intro banner. | |
| ▲ | the_mitsuhiko 4 hours ago | parent | prev | next [-] | | And yet [1]: > Not even half-way through this #curl release cycle we are already at 11 confirmed vulnerabilities - and there are three left in the queue to assess and new reports keep arriving at a pace of more than one/day. > 11 CVEs announced in a single release is our record from 2016 after the first-ever security audit (by Cure 53). > This is the most intense period in #curl that I can remember ever been through. [1]: https://www.linkedin.com/feed/update/urn:li:activity:7463481... | | |
| ▲ | hiharryhere 3 hours ago | parent [-] | | He’s talking about AI scanning tools collectively, not specifically Mythos. If you read his own top comment on that LinkedIn post he clarifies: “The simple reason is: the (AI powered) tools are this good now. And people use these tools against curl source code.They find lots of new problems no one detected before. And none of these new ones used Mythos. Focusing on Mythos is a distraction - there are plenty of good models, and people who can figure out how to get those models and tools to find things.” | | |
| ▲ | the_mitsuhiko 3 hours ago | parent [-] | | Sure. But Mythos or not, the developments since that post was written, legitimate 11 more vulnerabilities have been found by AI tools. | | |
| ▲ | toraway 2 hours ago | parent [-] | | Wait, 11 vulnerabilities were discovered entirely in the timeframe after Mythos found 1? That seems like it would effectively debunk the theory that curl was so uniquely hardened that only 1 vulnerability even existed for Mythos to find, which I read numerous times back on the HN thread for the curl/Mythos blog post. | | |
| ▲ | thombles 2 hours ago | parent [-] | | As one of those commenters on the previous post - yep, that theory appears to have been comprehensively trounced. Unless anything comes to light that mythos was applied poorly to curl, the evidence suggests that it’s not uniquely effective vs other AI-assisted approaches. I’ll be interested to see what’s reported in the next curl release. |
|
|
|
| |
| ▲ | wiwiwq 5 hours ago | parent | prev [-] | | [flagged] |
|
|
| ▲ | RamRodification 5 hours ago | parent | prev [-] |
| This is marketing. So probably suspected. Or somewhere in between. |
