Skip to main content
FOSSA Logo
AllAnnouncementsSBOMSecurityLicensingOpen SourcePress

Project Glasswing and the AI Vulnerability Math Problem

April 23, 2026 · 5 min read·Carlos Cheung
AI
fossabot
FOSSA
Project Glasswing and the AI Vulnerability Math Problem

fossabot. The bot that gives you wings, glasswings

In case you missed it: Anthropic announced Project Glasswing, a coalition of companies committed to defending against emerging threats from AI-enabled vulnerability exploitation.

Project Glasswing is a great first step to help the ecosystem prepare for the reality that AI will enable attackers to exploit more vulnerabilities, more quickly. But it’s only part of the solution.

RELATED: Project Glasswing and the Outdated Dependencies Problem

It’s true that, in theory, if we can find security flaws at hyper speed and fix them at ludicrous speed, then we should be able to get close to a meaningfully improved security posture. However, there’s a major concern with this hypothesis: What happens between the time when a new version is deployed that contains the fix and when you make the upgrade for your application?

Step 1

Find

Step 2

Fix

Step 3

Safe?

Let’s take a look at the math.

Step 1: Find (Mythos or Another New LLM)

One of the insights in Anthropic’s Project Glasswing announcement was that Claude Mythos (an unreleased frontier model) discovered several previously unknown vulnerabilities in popular OSS projects. These included ones in OpenBSD (27-year-old flaw), FFmpeg (16-year-old flaw), and the Linux Kernel.

This disclosure speaks to the likelihood that AI models will help us find a materially larger number of vulnerabilities than traditional tools and scanners.

  • Simple Math. Traditional security researchers discover “y” number of vulnerabilities on an annualized basis

  • AI Math. AI-enabled vulnerability research with traditional security researchers discover “y” multiplied by a factor of 100x number of vulnerabilities

Step 2: Fix (Project Glasswing)

One of the expected outcomes of Project Glasswing (and similar advances in AI security) is a significant increase in velocity of fixes being deployed.

Attackers will be able to exploit vulnerabilities more quickly, but AI will be able to accelerate the process of discovering and patching.

  • Simple Math. 3 components with vulnerabilities each can be fixed with individually new safe versions.
  • AI Math. 1,000-plus components with AI-assisted fixes.

Step 3: Safe? Nope.

The vulnerability is found, and a fix is deployed. This has been the workflow for ages, even pre-advanced models like Mythos.

However, just because the problem is found and the fix is available doesn’t mean people act on it. This is because we end up finding thousands of vulnerabilities, and we try to rationalize that we might not be impacted by them (reachability, run-time checks, etc.). However, if there is a critical CVE that is not accessible today, that does not mean it won't be accessible tomorrow. Let that sit for a second.

Once a security vulnerability gets issued across the ecosystem with a fix, then teams still have to take an action somehow:

  • Change to a safe version (*note this could be from a service provider with a patched version, a newer community version, or an internally patched version)
  • Migrate to a comparable package (*note some would rewrite their own)
  • Remove the function entirely. (*note this is probably the worst outcome)

Getting to Safe with AI Math

So how do we really get to safe with AI Math?

The answer is Step 2.5: fossabot (our AI-enabled auto-dependency updater) plus Mythos/Glasswings. The combination enables safe upgrades at scale — mass dependency upgrades with code compatibility.

As software engineers, we all know that upgrading a dependency has never been super simple. Ask any engineer how much time it’ll take, and you generally get an “it depends…” response. It depends on how we’re using it, it depends on what changed, and it depends on how much time/AI we can spend on it.

  • AI Math
    • Mythos finds. 1000s+.
    • Glasswing fixes. 1000s+.
    • fossabot upgrades. 1000s+
    • = Safe-ish.

Our vision is available now, and we encourage you to try fossabot for yourself. We’re offering credits for your first 100 upgrades/remediations for the next four weeks — you can request a demo on our site or email us (hello@fossa.com) with questions or to get started.

We’re excited about finding all these vulnerabilities, seeing fixes available for all these vulnerabilities, and most importantly, helping you manage your software engineering process in using open source.

About the Author

Carlos Cheung is a member of FOSSA’s founding team.

Subscribe to our newsletter

Get the latest insights on open source license compliance and security delivered to your inbox.