Daniel Stenberg, curl's lead developer, shares his experience with Anthropic's Mythos AI model scanning curl's 178K-line C codebase for security vulnerabilities. Despite massive media hype around Mythos being 'dangerously good' at finding security flaws, the scan of curl yielded only one confirmed low-severity vulnerability out of five initially flagged findings — the rest were false positives or non-security bugs. Stenberg notes curl had already been scanned by AISLE, Zeropath, and OpenAI Codex Security, which collectively triggered 200-300 bugfixes. He concludes Mythos is not significantly better than existing AI code analyzers, calling the hype primarily marketing. However, he strongly endorses AI-powered code analysis in general as far superior to traditional static analyzers, urging all projects to adopt such tooling before adversaries exploit unfound flaws.
Table of contents
My (non-) accessAI scans of curlMay 6, 2026The size of curlFive findings became oneNot particularly “dangerous”Still very goodHow AI analyzers differMore details from the reportAI finds existing kinds of errorsMore to findCredits1 Comment
Sort: