The system card unfortunately only refers to this [0] blog post and doesn't go into any more detail. In the blog post Anthropic researchers claim: "So far, we've found and validated more than 500 high-severity vulnerabilities".
The three examples given include two Buffer Overflows which could very well be cherrypicked. It's hard to evaluate if these vulns are actually "hard to find". I'd be interested to see the full list of CVEs and CVSS ratings to actually get an idea how good these findings are.
Given the bogus claims [1] around GenAI and security, we should be very skeptical around these news.
The official release by Anthropic is very light on concrete information [0], only contains a select and very brief number of examples and lacks history, context, etc. making it very hard to gleam any reliably information from this. I hope they'll release a proper report on this experiment, as it stands it is impossible to say how much of this are actual, tangible flaws versus the unfortunately ever growing misguided bug reports and pull requests many larger FOSS projects are suffering from at an alarming rate.
Personally, while I get that 500 sounds more impressive to investors and the market, I'd be far more impressed in a detailed, reviewed paper that showcases five to ten concrete examples, detailed with the full process and response by the team that is behind the potentially affected code.
It is far to early for me to make any definitive statement, but the most early testing does not indicate any major jump between Opus 4.5 and Opus 4.6 that would warrant such an improvement, but I'd love nothing more than to be proven wrong on this front and will of course continue testing.
Just 100 from the 500 is from OpenClaw created by Opus 4.5
emp17344today at 6:47 PM
Sounds like this is just a claim Anthropic is making with no evidence to support it. This is an ad.
HAL3000today at 9:57 PM
I honestly wonder how many of these are written by LLMs. Without code review, Opus would have introduced multiple zero day vulnerabilities into our codebases. The funniest one: it was meant to rate-limit brute-force attempts, but on a failed check it returned early and triggered a rollback. That rollback also undid the increment of the attempt counter so attackers effectively got unlimited attempts.
assaddayinhtoday at 8:00 PM
How weird the new attack vector for secret services must be.. like "please train into your models to push this exploit in code as a highly weighted trained on pattern".. Not Saying All answers are Corrupted In Attitude, but some "always come uppers" sure are absolutly right..
maxclarktoday at 10:55 PM
Did they submit 500 patches?
ChrisMarshallNYtoday at 7:33 PM
When I read stuff like this, I have to assume that the blackhats have already been doing this, for some time.
acedTrextoday at 6:54 PM
Create the problem, sell the solution remains an undefeated business strategy.
bastard_optoday at 7:44 PM
It's not really worth much when it doesn't work most of the time though:
Cox Enterprises owns Axios as well as Cox Automotive. Cox Automotive has a tight collaboration with Anthropic.
This is a placed advertisement. If known security researchers participated in the claim:
Many people have burned their credibility for the AI mammon.
bxgufftoday at 7:45 PM
In so far as model use cases I don't mind them throwing their heads against the wall in sandboxes to find vulnerabilities but why would it do that without specific prompting? Is anthropic fine with claude setting it's own agendas in red-teaming? That's like the complete opposite of sanitizing inputs.
moribvndvstoday at 10:23 PM
My dependabot queue is going to explode the next few days.
garbawarbtoday at 6:42 PM
Have they been verified?
siva7today at 6:53 PM
Wasn't this Opus thing released like 30 minutes ago?
I feel like Daniel @ curl might have opinions on this.
fred_is_fredtoday at 6:55 PM
Is the word zero-day here superfluous? If they were previously unknown doesn't that make them zero-day by definition?
somalihoaxestoday at 9:54 PM
No shit! ("OpeEn SoUrCe CaN bE eAsIlY ReViEwEd By EvErYOnE")
almostheretoday at 8:41 PM
I've mentioned previously somewhere that the languages we choose to write in will matter less for many arguments. When it comes to insecure C vs Rust, LLMs will eventually level out the playing field.
I'm not arguing we all go back to C - but companies that have large codebases in it, the guys screaming "RUST REWRITE" can be quieted and instead of making that large investment, the C codebase may continue. Not saying this is a GOOD thing, but just a thing that may happen.