I recently built a small security and privacy scanning tool for security awareness and research use, partly to automate some tedious manual checks, and partly to test how “vibe coding” actually holds up in a real security context. The honest answer: not well on its own.

The core problem I kept running into is that fixing one issue with vibe coding frequently spawns a few more. Patch a logic flaw here, introduce a new attack surface there. Resolve one dependency conflict, break another component. The codebase felt like a game of whack-a-mole, except the moles were invisible until something broke in a scan or simulation. After passing initial security checks, I moved on to simulation testing and ran the tool against external scanners, guess what, no surprise, I found more bugs and security issues. By the time I reached that final stage, I had a newfound and very personal appreciation for why rigorous, professional testing is not optional. It is the whole ballgame.

What Project Glasswing Is Actually Doing

That experience gave me a new appreciation for what Anthropic is doing with Project Glasswing. The more I sat with my own experience, the more the initiative made sense to me on a gut level.

The initiative brings together AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks around a new frontier model called Claude Mythos Preview, one that Anthropic says has already found thousands of high-severity vulnerabilities across every major operating system and web browser.

Given the rate of AI progress, it will not be long before such capabilities spread to actors who may not be committed to deploying them safely.

That last point is what keeps me up at night after my own experiment. If I, someone with genuine interest in doing this carefully, still produced a tool riddled with room to improve, what happens when AI-powered security capabilities fall into the hands of people who aren’t trying to be careful at all?

The Gap Between “Looks Fine” and “Actually Safe”

One of the more humbling findings from Project Glasswing illustrates exactly what I experienced at a much smaller scale. Mythos Preview uncovered a 16-year-old vulnerability in FFmpeg, software used by countless applications to handle video, in a line of code that automated testing tools had run against several times without ever detecting the problem.

Mythos Preview was able to identify nearly all of the vulnerabilities it found, and develop many related exploits, entirely autonomously, without human steering. That capability cuts both ways: it is extraordinarily powerful for defenders, and extraordinarily dangerous if it ends up in the wrong hands first.

Why Industry Leaders Have to Go First

My personal conclusion from building that tool was the same conclusion Anthropic seems to have reached at a civilizational scale: the people and organizations who test these capabilities first, and who feed results back into fixes, need to be those with the technical depth to handle what they find responsibly.

Project Glasswing extends access to over 40 additional organizations that build or maintain critical software infrastructure, and Anthropic is committing up to $100 million in usage credits for Mythos Preview across these efforts, along with $4 million in direct donations to open-source security organizations.

The Linux Foundation’s involvement is particularly meaningful here. Open-source maintainers, whose software underpins much of the world’s critical infrastructure, have historically been left to navigate security on their own, without the resources of large security teams. Project Glasswing offers a path to changing that.

This is the right sequencing. Start with infrastructure providers and major platforms. Find the vulnerabilities. Patch them. Then let the knowledge ripple outward into the broader ecosystem, rather than letting the capabilities ripple outward first and hoping defenders can keep up. My security tool works now (still with 2 bugs to be fixed), more or less, after a lot of painstaking review and fixes I had to make carefully at the critical points. But it took far more effort than the initial AI-assisted sprint suggested it would. That lesson, learned at personal scale, is the same lesson Project Glasswing is trying to teach the world before we all learn it the hard way together.

Reference: https://www.anthropic.com/glasswing

The post Burned by Vibe Coding: Why I Now Support Project Glasswing appeared first on Chasing Polaris – Wickey's blog.

*** This is a Security Bloggers Network syndicated blog from Chasing Polaris - Wickey's blog authored by Wickey Wang. Read the original post at: https://wickey.substack.com/p/burned-vibe-coding-why-i-now-support-project-wickey-kifcc