cURL Creator Critiques Mythos, Finds One Low-Severity Flaw

Daniel Stenberg, lead developer of cURL, published a blog post describing results from an AI-driven security scan carried out on the cURL codebase using access granted under the Linux Foundation/Project Glasswing arrangement. Stenberg wrote that he signed a contract for access but did not receive direct access himself; instead, someone else with access ran the scan and sent him the results (Daniel Stenberg blog post; The Register). The delivered report reportedly listed five items described as "confirmed security vulnerabilities," but after cURL's security team reviewed the findings they reduced that list to one confirmed vulnerability, which Stenberg said will be published as a low-severity CVE alongside the planned cURL 8.21.0 release in late June (The Register; LWN).

`Mythos` and findings. Stenberg characterized the broader publicity around `Mythos` as overblown, writing that "My personal conclusion can however not end up with anything else than that the big hype around this model so far was primarily marketing" and calling it "an amazingly successful marketing stunt for sure" (Daniel Stenberg blog post; The Register). He reported that the scan also surfaced a number of non-security bugs the team is addressing (The Register).

Prior AI tooling context. Stenberg noted that cURL has already been scanned by other modern AI code-analysis tools in recent months and that those tools helped trigger "between two and three hundred" bugfixes merged into cURL over the past 8-10 months, with several findings turned into CVEs (Daniel Stenberg blog post). LWN summarized Stenberg's view that while AI-powered analyzers are significantly better than legacy static analyzers, he saw no evidence that Mythos produced findings at a materially higher or more advanced degree in this repository (LWN).

Editorial analysis: For practitioners, this episode is a concrete field test of the limits and signal-to-noise profile of AI-driven code auditing tools. The reported outcome-few confirmed security issues and several false positives-matches broader observations that modern models can surface useful leads but still require human triage to filter false positives and prioritize actionable fixes.

Editorial analysis: Security teams evaluating AI scanners should treat outputs as triage aids rather than authoritative vulnerability verdicts. The cURL example highlights that even widely publicized models may not dramatically outperform other AI-assisted tools in every codebase, and that integration with existing code review and fuzzing pipelines remains necessary.

Editorial analysis: The story matters because it calibrates expectations. Publicity framing that a single model is "too dangerous to release" raises operational and policy questions, but reported empirical results here show modest concrete impact on one major open-source project. That reduces the evidentiary weight for claims about model-enabled mass discovery of critical vulnerabilities, while underscoring the ongoing utility of AI as an augmenting tool for maintainers.

Editorial analysis: Observers should watch for the published CVE tied to cURL 8.21.0 in late June to see the disclosed severity and exploitability details (The Register). Practitioners should also track follow-up reports from other high-profile projects that received Mythos scans via Project Glasswing or similar programs to compare false-positive rates, detection overlap with established tools, and whether any scans surface high-severity or supply-chain-relevant findings.

Editorial analysis: Public reporting and vendor documentation about Mythos's scanning method, training data, and evaluation metrics would help the community assess when and where such models add unique value versus duplicating existing tooling. If vendors publish repeatable benchmarks and transparent failure cases, maintainers can make better procurement and workflow decisions.