> And at the moment we have reports from like around 5(?) companies.

Which is not bad this early in the 90+45 day responsible disclosure window.

> Yet decided not to share that number. I wonder why.

It is bizarre to expect a company to disclose the false-positive rate of their security engineers, publicly. That does not happen.

> So, ~6 high- and critical- severity bugs per open-source project v.s. hundreds of high- and critical- severity bugs per partner projects. It looks like the math ain't mathing.

It is pretty obvious they're spending more compute on commercial partners. Why is this surprising?

> Of course, they didn't say that Mythos found only 8 bugs in wolfSSL vs 22 CVE fixed in wolfSSL 5.9.1.

WolfSSL is not the only software project in the world. Mozilla also came out with results that paint it as very effective. I don't think Mythos ever claimed to find all bugs anyways.