Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <01cf598b-4138-452a-b4f1-22cdccf3bf76@oracle.com>
Date: Sat, 23 May 2026 11:10:51 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: Anthropic's coordinated vulnerability disclosure
 dashboard

Anthropic posted a blog yesterday giving an update on their Project Glasswing
efforts to find, report, and disclose vulnerabilities in a wide range of
software:
   https://www.anthropic.com/research/glasswing-initial-update

In it, they link to their new disclosure dashboard at:
   https://red.anthropic.com/2026/cvd/

It currently says:
   "As of May 22, 2026, we've disclosed 1,596 vulnerabilities across 281 open
    source projects. To our knowledge, 97 of these have been patched. Of those,
    88 have been assigned a Common Vulnerabilities and Exposure (CVE) record or
    a GitHub Security Advisory (GHSA). In other cases, maintainers have shipped
    a fix without publishing an advisory. The number of vulnerabilities we've
    disclosed is a subset of the total number of vulnerabilities that Mythos
    Preview has found, since the process of independent human triage and review
    is the rate limiting step."

In their chart below that, they clarify that in this case, "disclosed" means
"reported to maintainers", not made public.

They include a list of identifiers of their reports (currently up to 1611
entries), but do not show the project name or bug type until the project
has fixed the bug.

They also include lists of CVE's and GHSA's that have been published for
the issues they've found.  The CVE list currently includes CVE's from nginx,
jq, wolfSSL, and more.  The GHSA list includes libyang, mastodon, freerdp,
and more.

-- 
         -Alan Coopersmith-                 alan.coopersmith@...cle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

[Disclaimer: while my employer is identified in the blog post as a partner,
  I am not personally involved with Project Glasswing, and know nothing more
  about it than what has been publicly disclosed.]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.