Anthropic's recent launch of a public bug bounty program is a strategic move that highlights the ongoing importance of human-led security research in the face of advanced AI-driven cybersecurity tools. This decision comes as a surprise to some, given the company's recent unveiling of Claude Mythos and Project Glasswing, which are touted as groundbreaking advancements in AI-driven vulnerability discovery. However, the launch of the bug bounty program serves as a tacit acknowledgment that conventional security research remains a cornerstone of finding and fixing real-world vulnerabilities, even as AI systems become more sophisticated. The program, hosted on HackerOne, allows external researchers to report vulnerabilities in Anthropic-developed software and systems, with rewards determined by the Common Vulnerability Scoring System (CVSS). This marks an evolution from Anthropic's earlier vulnerability disclosure efforts, which primarily acted as a reporting and triage channel. The new program covers a broad range of assets, including Claude.ai, the Anthropic API, Claude Code, and internal infrastructure, but excludes certain categories such as vulnerabilities affecting third-party MCP servers and low-severity informational findings. Notably, Claude Code is within scope for critical vulnerabilities involving unauthorized command execution, invisible tool usage, and permission bypasses, which are increasingly relevant as autonomous coding agents become more prevalent. Anthropic's decision to launch the bug bounty program simultaneously with the introduction of Mythos raises questions about the company's claims regarding the advanced capabilities of its AI-driven cybersecurity tools. Some users on social media have openly questioned the tension between these claims and the launch of a traditional human-led bug bounty program. Benchmarking transparency has also been a point of contention, with critics arguing that Anthropic has not disclosed sufficient comparisons against established static analysis and security tooling, nor provided detailed false-positive metrics, which are crucial for assessing the practical utility of vulnerability discovery tools. Despite these concerns, there is evidence suggesting that Mythos' capabilities may extend beyond marketing hype. The UK AI Security Institute (ASI) released an evaluation showing that Mythos could autonomously complete multi-stage cyberattack simulations and solve expert-level capture-the-flag (CTF) challenges at rates that previous frontier models struggled to approach. However, ASI also cautioned against overinterpreting the results, noting that the tests occurred in controlled environments without many of the defensive measures and real-world constraints found in hardened enterprise networks. Ultimately, Anthropic's new HackerOne rollout reveals a more nuanced reality: even in an era of increasingly capable AI cyber systems, the company still values the insights and expertise of human researchers in probing the security boundaries of its products. This dual approach of leveraging AI-driven tools and human-led research may be the key to achieving robust cybersecurity in the future.
