Anthropic Publishes Coordinated Vulnerability Disclosure Dashboard
Anthropic posted a blog linking to a coordinated vulnerability disclosure dashboard for Project Glasswing. Per the dashboard, "As of May 22, 2026, we've disclosed 1,596 vulnerabilities across 281 open source projects," and the mailing-list summary notes that "To our knowledge, 97 of these have been patched" with 88 assigned a CVE or GHSA. The dashboard, cited on the oss-sec mailing list, shows a list of report identifiers (currently up to 1,611 entries) but does not display project names or bug types until a maintainer ships a fix. The oss-sec post also lists published CVE examples including nginx, jq, and wolfSSL, and GHSA examples including libyang, mastodon, and freerdp.
What happened
Anthropic posted a blog and linked to a coordinated vulnerability disclosure dashboard for Project Glasswing, as reported on the oss-sec mailing list by Alan Coopersmith. Per the dashboard, "As of May 22, 2026, we've disclosed 1,596 vulnerabilities across 281 open source projects." The dashboard further reports that "To our knowledge, 97 of these have been patched" and that 88 of the patched issues have been assigned a Common Vulnerabilities and Exposures (CVE) record or a GitHub Security Advisory (GHSA). The oss-sec archive notes the dashboard lists report identifiers (currently up to 1,611 entries) and that "disclosed" in this context means "reported to maintainers", not publicly published. The oss-sec post lists CVE examples including nginx, jq, and wolfSSL, and GHSA examples including libyang, mastodon, and freerdp**.
Technical details
The dashboard notes that the number of disclosed issues is a subset of the total vulnerabilities found by Mythos Preview, because "independent human triage and review is the rate limiting step." The dashboard hides project names and bug types until maintainers ship fixes, while exposing report identifiers and a separate list of published CVE/GHSA records.
Editorial analysis - technical context
Coordinated disclosure dashboards that separate report identifiers from public details help preserve a working relationship with upstream maintainers while tracking remediation progress. Industry-pattern observations: teams operating at scale often rely on automated finders followed by human triage, and bottlenecks occur at reviewer capacity, disclosure coordination, and maintainer bandwidth.
Context and significance
For open-source security, a public-facing tracker with nearly 1,600 reported issues provides visibility into discovery volume and remediation rates. Industry observers note that publishing aggregated metrics and linkage to CVE/GHSA records improves transparency for defenders and downstream consumers, while withholding project-level detail until fixes ship reduces potential for exploit-focused disclosure before patches are available.
What to watch
Observers should monitor the dashboard for changes in the patched-to-disclosed ratio, the pace of human triage relative to automated findings from Mythos Preview, and whether maintainers begin publishing advisories that correspond to the dashboard's identifiers. The oss-sec summary does not include statements from Anthropic beyond the dashboard text; Anthropic has not been quoted in the oss-sec post beyond the linked dashboard content.
Scoring Rationale
A coordinated disclosure dashboard with nearly 1,600 reported issues is notable for open-source security practitioners because it aggregates discovery and remediation metrics. The story is relevant to security and ops teams but does not introduce a new attack surface or model-level breakthrough.
Practice interview problems based on real data
1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
