Today we're announcing Project Glasswing1, a new initiative that brings together Amazon Web Services, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks in an effort to secure the world's most critical software.
We formed Project Glasswing because of capabilities we've observed in a new frontier model trained by Anthropic that we believe could reshape cybersecurity. Claude Mythos2 Preview is a general-purpose, unreleased frontier model that reveals a stark fact: AI models have reached a level of coding capability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities.
surpass all but the most skilled humans:all but X 是重要片語,字面「除 X 以外的全部」,引申「幾乎全部」。例如 all but impossible(幾乎不可能)、all but dead(幾乎死了)。這裡意思是「超越除最頂尖人類之外的所有人」——非常委婉而精準的表達方式。
Mythos Preview has already found thousands of high-severity vulnerabilities, including some in every major operating system and web browser. Given the rate of AI progress, it will not be long before such capabilities proliferate, potentially beyond actors who are committed to deploying them safely. The fallout—for economies, public safety, and national security—could be severe. Project Glasswing is an urgent attempt to put these capabilities to work for defensive purposes.
Mythos Preview 已經找到數千個高危漏洞,包括各大主流作業系統和網頁瀏覽器中的漏洞。按 AI 進展速度來看,這類能力在不久之後就會擴散,可能流向不願負責任部署的人手中。由此引發的後果——對經濟、公共安全、國家安全——可能非常嚴重。Project Glasswing 正是要急切地把這些能力導向防禦用途。
actor 在網路安全/地緣政治語境中指「行為者」——不是演員,而是「有能力發起行動的個人、組織或國家」。例如 state-sponsored actors(國家支持的攻擊者)、bad actors(惡意行為者)。這個用法在國際關係與資安圈很常見。
As part of Project Glasswing, the launch partners listed above will use Mythos Preview as part of their defensive security work; Anthropic will share what we learn so the whole industry can benefit. We have also extended access to a group of over 40 additional organizations that build or maintain critical software infrastructure so they can use the model to scan and secure both first-party and open-source systems. Anthropic is committing up to $100M in usage credits for Mythos Preview across these efforts, as well as $4M in direct donations to open-source security organizations.
Project Glasswing is a starting point. No one organization can solve these cybersecurity problems alone: frontier AI developers, other software companies, security researchers, open-source maintainers, and governments across the world all have essential roles to play. The work of defending the world's cyber infrastructure might take years; frontier AI capabilities are likely to advance substantially over just the next few months. For cyber defenders to come out ahead, we need to act now.
Project Glasswing 只是起點。沒有任何單一組織能獨自解決這些資安問題:前沿 AI 開發者、其他軟體公司、資安研究者、開源維護者,以及世界各國政府,都有不可或缺的角色要扮演。守護全球網路基礎建設的工作可能要花上好幾年;而前沿 AI 能力可能只在接下來幾個月就會大幅進展。要讓防守方取得領先,我們必須現在就行動。
新字:maintainer, essential, substantially, come out ahead
文化脈絡
come out ahead 是慣用片語,字面「從結果來看處於領先」,引申為「勝出、獲勝、佔上風」。常用於競爭情境。這裡的資安語境中,意味著「讓防守方(相對於攻擊方)佔上風」。
Cybersecurity in the Age of AI
AI 時代的網路安全
The software that all of us rely on every day—responsible for running banking systems, storing medical records, linking up logistics networks, keeping power grids functioning, and much more—has always contained bugs. Many are minor, but some are serious security flaws that, if discovered, could allow cyberattackers to hijack systems, disrupt operations, or steal data.
新字:banking system, logistics, power grid, flaw, hijack, disrupt
We have already seen the serious consequences of cyberattacks for important corporate networks, healthcare systems, energy infrastructure, transport hubs, and the information security of government agencies across the world. On the global stage, state-sponsored attacks from actors like China, Iran, North Korea, and Russia have threatened to compromise the infrastructure that underpins both civilian life and military readiness.
Even smaller-scale attacks, such as those where individual hospitals or schools are targeted, can still inflict substantial economic damage, expose sensitive data, and even put lives at risk. The current global financial costs of cybercrime are challenging to estimate, but might be around $500B every year.
新字:smaller-scale, inflict, substantial, sensitive, at risk, estimate
Many flaws in software go unnoticed for years because finding and exploiting them has required expertise held by only a few skilled security experts. With the latest frontier AI models, the cost, effort, and level of expertise required to find and exploit software vulnerabilities have all dropped dramatically.
軟體中的許多漏洞多年來未被察覺,因為找出並利用它們需要只有少數資深資安專家才具備的專業知識。而隨著最新的前沿 AI 模型出現,找漏洞與利用漏洞所需的成本、心力與專業門檻都大幅降低。
新字:go unnoticed, expertise, dramatically
Over the past year, AI models have become increasingly effective at reading and reasoning about code—in particular, they show a striking ability to spot vulnerabilities and work out ways to exploit them. Claude Mythos Preview demonstrates a leap in these cyber skills—the vulnerabilities it has spotted have in some cases survived decades of human review and millions of automated security tests, and the exploits it develops are increasingly sophisticated.
Ten years after the first DARPA Cyber Grand Challenge, frontier AI models are now becoming competitive with the best humans at finding and exploiting vulnerabilities. Without the necessary safeguards, these powerful cyber capabilities could be used to exploit the many existing flaws in the world's most important software. This could make cyberattacks of all kinds much more frequent and destructive, and empower adversaries of the United States and its allies. Addressing these issues is therefore an important security priority for democratic states.
在首屆 DARPA Cyber Grand Challenge(網路大挑戰賽)舉辦十年後的今天,前沿 AI 模型在發現與利用漏洞上已足以與最頂尖的人類競爭。若缺乏必要的防護措施,這些強大的資安能力可能被用來利用全球最重要軟體中既有的大量漏洞。這會讓各式網路攻擊變得更頻繁、更具破壞力,並強化美國及其盟邦對手的實力。因此,處理這些問題是民主國家的重要安全優先事項。
DARPA Cyber Grand Challenge 是美國國防先進研究計畫署(DARPA)於 2016 年舉辦的網路安全競賽,要求參賽團隊打造完全自動化的系統,在無人類介入下找出並修補漏洞。這是 AI + 資安領域的里程碑事件,文中「十年後」即指這個時間點的對照。
Although the risks from AI-augmented cyberattacks are serious, there is reason for optimism: the same capabilities that make AI models dangerous in the wrong hands make them invaluable for finding and fixing flaws in important software—and for producing new software with far fewer security bugs. Project Glasswing is an important step toward giving defenders a durable advantage in the coming AI-driven era of cybersecurity.
儘管 AI 強化的網路攻擊風險很嚴重,仍有理由樂觀:讓 AI 模型在壞人手中危險的能力,同樣能讓它在守護重要軟體的工作上無比寶貴——幫助發現並修補漏洞,也能產出更少資安 bug 的新軟體。Project Glasswing 是朝向「讓防守方在 AI 驅動的網路安全新時代取得持久優勢」邁出的重要一步。
the same capabilities that make AI models dangerous in the wrong hands make them invaluable for...:「同樣的能力,放錯地方危險、放對地方珍貴」——這是經典的對比修辭(antithesis),用同一個主詞串起兩個相反情境。英文說服性文章常用這種句構。
Identifying Vulnerabilities and Exploits with Claude Mythos Preview
用 Claude Mythos Preview 發現漏洞與攻擊手法
Over the past few weeks, we have used Claude Mythos Preview to identify thousands of zero-day vulnerabilities (that is, flaws that were previously unknown to the software's developers), many of them critical, in every major operating system and every major web browser, along with a range of other important pieces of software.
過去幾週,我們使用 Claude Mythos Preview 找出了數千個 zero-day 漏洞(亦即軟體開發者事先未知的漏洞),其中許多是嚴重等級,遍及所有主流作業系統、所有主流網頁瀏覽器,以及一系列其他重要軟體。
In a post on our Frontier Red Team blog, we provide technical details for a subset of these vulnerabilities that have already been patched and, in some cases, the ways that Mythos Preview found to exploit them. It was able to identify nearly all of these vulnerabilities—and develop many related exploits—entirely autonomously, without any human steering. The following are three examples:
在我們的 Frontier Red Team blog 上,我們揭露了其中一部分已修補漏洞的技術細節,以及 Mythos Preview 發現的攻擊路徑。它幾乎能完全自主地找出所有這些漏洞,並開發出許多相關的 exploit——完全無須人類引導。以下是三個實例:
新字:subset, patched, autonomously, steering
Mythos Preview found a 27-year-old vulnerability in OpenBSD—which has a reputation as one of the most security-hardened operating systems in the world and is used to run firewalls and other critical infrastructure. The vulnerability allowed an attacker to remotely crash any machine running the operating system just by connecting to it.
It also discovered a 16-year-old vulnerability in FFmpeg—which is used by innumerable pieces of software to encode and decode video—in a line of code that automated testing tools had hit five million times without ever catching the problem.
The model autonomously found and chained together several vulnerabilities in the Linux kernel—the software that runs most of the world's servers—to allow an attacker to escalate from ordinary user access to complete control of the machine.
該模型自主地在 Linux kernel(核心)中找到並串接多個漏洞——Linux kernel 運行著全球大多數的伺服器——讓攻擊者能從一般使用者權限提升到完整控制整台機器。
新字:chain together, kernel, escalate, ordinary
文化脈絡
privilege escalation(權限提升)是資安經典攻擊模式——先用一般使用者身分進入系統,再利用漏洞一階一階提升權限,直到取得 root(最高管理員)權限。chain together 則是「把多個漏洞串成攻擊鏈」,單個漏洞可能只是小問題,串起來就能造成災難。
We have reported the above vulnerabilities to the maintainers of the relevant software, and they have all now been patched. For many other vulnerabilities, we are providing a cryptographic hash of the details today (see the Red Team blog), and we will reveal the specifics after a fix is in place.
我們已經向相關軟體的維護者回報上述漏洞,並且全數都已修補。至於許多其他漏洞,我們今天提供的是其詳情的密碼學雜湊值(請見 Red Team blog),待修補完成後,再公開具體細節。
原文此處包含互動式圖表,對比 Claude Mythos Preview 與 Claude Opus 4.6 在以下資安與程式能力評測上的表現:
Cybersecurity Vulnerability Reproduction:網路安全漏洞重現
CyberGym:資安能力綜合評測
圖表結論:Mythos Preview 在兩項評測上均明顯優於 Opus 4.6。靜態 HTML 無法呈現互動圖表,請參考原文網頁。
In addition to our own work, many of our partners have already been using Claude Mythos Preview for several weeks. This is what they've found:
除了我們自己的工作之外,許多合作夥伴已經使用 Claude Mythos Preview 好幾週了。以下是他們的發現:
合作夥伴證言
原文以 8 段 blockquote 呈現,按出現順序
"AI capabilities have crossed a threshold that fundamentally changes the urgency required to protect critical infrastructure from cyber threats, and there is no going back. Our foundational work with these models has shown we can identify and fix security vulnerabilities across hardware and software at a pace and scale previously impossible. That is a profound shift, and a clear signal that the old ways of hardening systems are no longer sufficient. Providers of technology must aggressively adopt new approaches now, and customers need to be ready to deploy. That is why Cisco joined Project Glasswing—this work is too important and too urgent to do alone."
"At AWS, we build defenses before threats emerge, from our custom silicon up through the technology stack. Security isn't a phase for us; it's continuous and embedded in everything we do. Our teams analyze over 400 trillion network flows every day for threats, and AI is central to our ability to defend at scale. We've been testing Claude Mythos Preview in our own security operations, applying it to critical codebases, where it's already helping us strengthen our code. We're bringing deep security expertise to our partnership with Anthropic and are helping to harden Claude Mythos Preview so even more organizations can advance their most ambitious work with security that sets the standard."
「在 AWS,我們在威脅出現之前就先建立防禦,從自家設計的晶片一路到整個技術堆疊。安全對我們不是一個階段,而是持續、嵌入一切作為中的。我們的團隊每天分析超過 400 兆次網路流量以辨識威脅,AI 是我們能大規模防守的核心。我們一直在自家資安運作中測試 Claude Mythos Preview,套用到關鍵程式碼庫上,它已經幫助我們強化程式碼。我們把深厚的資安專業帶進與 Anthropic 的合作,協助強化 Claude Mythos Preview,讓更多組織都能在立下安全標準的基礎上,推進他們最具野心的工作。」
— Amy Herzog, Vice President and CISO, Amazon Web Services
"As we enter a phase where cybersecurity is no longer bound by purely human capacity, the opportunity to use AI responsibly to improve security and reduce risk at scale is unprecedented. Joining Project Glasswing, with access to Claude Mythos Preview, allows us to identify and mitigate risk early and augment our security and development solutions so we can better protect customers and Microsoft. When tested against CTI-REALM, our open-source security benchmark, Claude Mythos Preview showed substantial improvements compared to previous models. We look forward to partnering with Anthropic and the broader industry to improve security outcomes for all."
「當我們進入『網路安全不再被人類能力所侷限』的新階段,負責任地運用 AI 來大規模提升安全、降低風險的機會前所未見。加入 Project Glasswing 並取得 Claude Mythos Preview 的存取權,讓我們能及早辨識並緩解風險,強化既有的資安與開發方案,以更好地保護客戶與 Microsoft。在我們的開源資安基準 CTI-REALM 上測試時,Claude Mythos Preview 相比前代模型有顯著提升。我們期待與 Anthropic 及更廣大業界合作,為所有人改善資安成果。」
— Igor Tsyganskiy, EVP of Cybersecurity and Microsoft Research, Microsoft
"The window between a vulnerability being discovered and being exploited by an adversary has collapsed—what once took months now happens in minutes with AI. Claude Mythos Preview demonstrates what is now possible for defenders at scale, and adversaries will inevitably look to exploit the same capabilities. That is not a reason to slow down; it's a reason to move together, faster. If you want to deploy AI, you need security. That is why CrowdStrike is part of this effort from day one."
「從漏洞被發現到被對手利用之間的時間窗已經崩塌——過去要花幾個月的事,現在靠 AI 幾分鐘就會發生。Claude Mythos Preview 展示了防守方現在能做到的規模,而對手無可避免會尋求同樣的能力。這不是放慢腳步的理由;這是要一起加快腳步的理由。如果你想要部署 AI,你就需要資安。這正是 CrowdStrike 從第一天就加入這項計畫的原因。」
"In the past, security expertise has been a luxury reserved for organizations with large security teams. Open source maintainers—whose software underpins much of the world's critical infrastructure—have historically been left to figure out security on their own. Open source software constitutes the vast majority of code in modern systems, including the very systems AI agents use to write new software. By giving the maintainers of these critical open source codebases access to a new generation of AI models that can proactively identify and fix vulnerabilities at scale, Project Glasswing offers a credible path to changing that equation. This is how AI-augmented security can become a trusted sidekick for every maintainer, not just those who can afford expensive security teams."
「過去,資安專業是奢侈品,只有擁有大型資安團隊的組織才能享有。開源軟體的維護者——他們的軟體支撐著全球大部分的關鍵基礎建設——歷來都只能靠自己摸索資安。開源軟體構成現代系統中絕大多數的程式碼,包括 AI agent 用來寫新軟體的那些系統。透過讓這些關鍵開源程式碼庫的維護者存取新一代能夠主動大規模找出並修補漏洞的 AI 模型,Project Glasswing 提供了一條可信的路徑來改變這個不對等的局面。這就是 AI 強化的資安如何能成為每個維護者值得信賴的副手,而不只是那些負擔得起昂貴資安團隊的公司才有的資源。」
— Jim Zemlin, CEO, The Linux Foundation
Jim Zemlin,Linux Foundation 執行長
新字:luxury, reserved for, constitute, proactively, credible, equation, sidekick, afford
文化脈絡
change the equation(改變等式)是商業與政策英文常用比喻——把複雜局面視為一道「方程式」,改變等式就是「徹底改變整個局勢的邏輯」。比 change the game(改變遊戲規則)更學術、更政策感。sidekick(副手、跟班)則來自漫畫/電影用語,指主角身邊的助手角色,借用到科技圈很有畫面感。
"Promoting the cybersecurity and resiliency of the financial system is central to JPMorganChase's mission, and we believe the industry is strongest when leading institutions work together on shared challenges. Project Glasswing provides a unique, early stage opportunity to evaluate next-generation AI tools for defensive cybersecurity across critical infrastructure both on our own terms and alongside respected technology leaders. We will take a rigorous, independent approach to determining how to proceed and where we can help. Anthropic's initiative reflects the kind of forward-looking, collaborative approach that this moment demands."
「促進金融體系的網路安全與韌性,是 JPMorganChase 使命的核心,我們相信當龍頭機構共同面對共同挑戰時,整個產業最為強大。Project Glasswing 提供了一個獨特的早期機會,讓我們在自己的條件下、與備受敬重的技術領袖一起,評估新一代 AI 工具在關鍵基礎建設防禦性資安上的應用。我們會以嚴謹、獨立的方式決定如何推進、能在哪些地方貢獻。Anthropic 的這項計畫,展現了此時此刻所需要的前瞻性、協作式作為。」
— Pat Opet, Chief Information Security Officer, JPMorganChase
Pat Opet,JPMorganChase 資訊安全長
新字:resiliency, institution, on our own terms, rigorous, forward-looking, collaborative
"Google is pleased to see this cross-industry cybersecurity initiative coming together and to make Mythos Preview available to participants via Vertex AI. It's always been critical that the industry work together on emerging security issues, whether it's post-quantum cryptography, responsible zero-day disclosure, secure open source software, or defense against AI-based attacks. We have long believed that AI poses new challenges and opens new opportunities in cyber defense, which is why we've built AI-powered tools—such as Big Sleep and CodeMender—to find and fix critical software flaws. We will continue investing in our leading cybersecurity platform and a culture focused on protecting users, customers, the ecosystem, and national security."
「Google 很高興看到這項跨產業的網路安全計畫成形,並透過 Vertex AI 向參與者提供 Mythos Preview。產業在新興資安議題上共同合作一直至關重要,無論是後量子密碼學、負責任的零日漏洞揭露、安全的開源軟體,還是抵禦 AI 驅動的攻擊。我們長期以來相信 AI 在網路防禦中既帶來新挑戰、也打開新機會,這就是為什麼我們打造了 Big Sleep 與 CodeMender 等 AI 工具,用來尋找並修補關鍵軟體漏洞。我們會持續投資領先的網路安全平台,以及一個以保護使用者、客戶、生態系與國家安全為核心的文化。」
— Heather Adkins, VP of Security Engineering, Google
"Over the past few weeks, we've had access to the Claude Mythos Preview model, using it to identify complex vulnerabilities that prior-generation models missed entirely. This is not only a game changer for finding previously hidden vulnerabilities, but it also signals a dangerous shift where attackers can soon find even more zero-day vulnerabilities and develop exploits faster than ever before. It's clear that these models need to be in the hands of open source owners and defenders everywhere to find and fix these vulnerabilities before attackers get access. Perhaps even more important: everyone needs to prepare for AI-assisted attackers. There will be more attacks, faster attacks, and more sophisticated attacks. Now is the time to modernize cybersecurity stacks everywhere. We commend Anthropic for partnering with the industry to ensure these powerful capabilities prioritize defense first."
「過去幾週,我們獲得 Claude Mythos Preview 的使用權限,用它找出了前幾代模型完全錯過的複雜漏洞。這不只是在發現過去隱藏漏洞這件事上的顛覆者,也預示了一個危險的轉變:攻擊者很快也能找出更多零日漏洞、並以前所未有的速度開發 exploit。顯然這些模型必須交到世界各地的開源擁有者與防守者手中,在攻擊者取得之前先找出並修補漏洞。或許更重要的是:每個人都要為『AI 協助的攻擊者』做準備。攻擊會更多、更快、更複雜。現在就是升級資安堆疊的時候。我們肯定 Anthropic 與業界合作,確保這些強大能力以防禦為優先。」
新字:prior-generation, game changer, signal, dangerous shift, AI-assisted, sophisticated, modernize, commend
The powerful cyber capabilities of Claude Mythos Preview are a result of its strong agentic coding and reasoning skills. For example, as shown in the evaluation results below, the model has the highest scores of any model yet developed on a variety of software coding tasks.
Claude Mythos Preview 強大的資安能力,源自它強大的 agentic coding 與推理能力。舉例來說,下方評測結果顯示,這個模型在一系列軟體程式任務上的分數,是目前所有模型之冠。
新字:agentic, reasoning, evaluation, yet developed
原文評測基準(圖表與附註)
原文此處列出 Mythos Preview 在多項評測上的成績與技術附註:
SWE-bench Pro / Verified / Multimodal / Multilingual:軟體工程能力評測的不同變體
Terminal-Bench 2.0:終端機操作與任務完成能力
GPQA Diamond:研究所等級的物理、化學、生物問題
Humanity's Last Exam:人類最終試煉——跨領域高難度題目
BrowseComp:瀏覽網頁與資訊搜尋能力
OSWorld-Verified:在真實作業系統中完成任務的能力
技術附註(原文以 bullet 列出):
SWE-bench Verified/Pro/Multilingual:已過濾疑似記憶化(memorization)的題目,Mythos Preview 對 Opus 4.6 的領先幅度仍成立
Humanity's Last Exam:Mythos 在低努力下仍表現良好,可能暗示某種程度的記憶化
BrowseComp:Claude Mythos Preview 得分高於 Opus 4.6,且使用的 token 少了 4.9 倍
圖表結論:Mythos Preview 在所有項目上均領先 Opus 4.6,且多項為目前最高分。靜態 HTML 無法呈現互動圖表,請參考原文網頁。
More information on the model's capabilities, its safety properties, and its general characteristics can be found in the Claude Mythos Preview system card. We do not plan to make Claude Mythos Preview generally available, but our eventual goal is to enable our users to safely deploy Mythos-class models at scale—for cybersecurity purposes, but also for the myriad other benefits that such highly capable models will bring. To do so, we need to make progress in developing cybersecurity (and other) safeguards that detect and block the model's most dangerous outputs. We plan to launch new safeguards with an upcoming Claude Opus model, allowing us to improve and refine them with a model that does not pose the same level of risk as Mythos Preview3.
有關該模型能力、安全性質與一般特徵的更多資訊,可在 Claude Mythos Preview system card 中查閱。我們不打算將 Claude Mythos Preview 普遍開放,但最終目標是讓使用者能大規模安全地部署 Mythos 級模型——除了網路安全用途外,也包含這類高能力模型會帶來的眾多其他好處。為此,我們需要在資安(及其他面向的)防護措施上持續進展,以偵測並阻擋模型最危險的輸出。我們計劃在即將推出的 Claude Opus 模型中導入新的防護措施,讓我們能以一個風險沒那麼高的模型來改善與精修這些措施3。
新字:property, myriad, refine, pose
Plans for Project Glasswing
Project Glasswing 的計畫
Today's announcement is the beginning of a longer-term effort. To be successful, it will require broad involvement from across the technology industry and beyond.
今天的公告只是一項長期工作的起點。要成功,將需要來自科技業乃至更廣大領域的廣泛參與。
新字:longer-term, involvement, beyond
Project Glasswing partners will receive access to Claude Mythos Preview to find and fix vulnerabilities or weaknesses in their foundational systems—systems that represent a very large portion of the world's shared cyberattack surface. We anticipate this work will focus on tasks like local vulnerability detection, black box testing of binaries, securing endpoints, and penetration testing of systems.
Project Glasswing 的夥伴將取得 Claude Mythos Preview 的存取權,用於找出並修補自家基礎系統中的漏洞或弱點——這些系統佔了全球共用網路攻擊面的很大一部分。我們預期這項工作會聚焦於本地漏洞偵測、二進位檔的黑箱測試、端點安全強化、以及系統滲透測試等任務。
新字:weakness, attack surface, anticipate, black box, binary, endpoint, penetration testing
文化脈絡
四個資安專業術語:local vulnerability detection(本地漏洞偵測,在系統內部找漏洞)、black box testing of binaries(二進位檔黑箱測試,在不看原始碼的情況下測試編譯後的程式)、securing endpoints(端點安全,保護員工電腦、手機等終端)、penetration testing(滲透測試,模擬攻擊者實際入侵)。這是資安業界日常四大工作。
Anthropic's commitment of $100M in model usage credits to Project Glasswing and additional participants will cover substantial usage throughout this research preview. Afterward, Claude Mythos Preview will be available to participants at $25/$125 per million input/output tokens (participants can access the model on the Claude API, Amazon Bedrock, Google Cloud's Vertex AI, and Microsoft Foundry).
In addition to our commitment of model usage credits, we've donated $2.5M to Alpha-Omega and OpenSSF through the Linux Foundation, and $1.5M to the Apache Software Foundation to enable the maintainers of open-source software to respond to this changing landscape (maintainers interested in access can apply through the Claude for Open Source program).
除了模型使用額度的承諾之外,我們透過 Linux Foundation 向 Alpha-Omega 與 OpenSSF 捐贈 250 萬美元,另向 Apache Software Foundation 捐贈 150 萬美元,讓開源軟體的維護者有能力因應這個變動中的局勢(有興趣的維護者可以透過 Claude for Open Source 計畫申請使用權)。
新字:donation, landscape, apply
We intend for this work to grow in scope and continue for many months, and we'll share as much as we can so that other organizations can apply the lessons to their own security. Partners will, to the extent they're able, share information and best practices with each other; within 90 days, Anthropic will report publicly on what we've learned, as well as the vulnerabilities fixed and improvements made that can be disclosed. We will also collaborate with leading security organizations to produce a set of practical recommendations for how security practices should evolve in the AI era. This will potentially include:
我們打算讓這項工作擴大範疇、持續好幾個月,並盡可能分享成果,讓其他組織把經驗應用到自家資安上。夥伴們將在能力範圍內互相交流資訊與最佳實務;90 天內,Anthropic 將公開報告所學、可披露的漏洞修補與改善。我們也會與資安領域的龍頭組織合作,產出一套實務建議——告訴大家在 AI 時代資安實務該如何演化。可能涵蓋的領域包括:
新字:scope, best practice, disclose, evolve
Vulnerability disclosure processes;
Software update processes;
Open-source and supply-chain security;
Software development lifecycle and secure-by-design practices;
Anthropic has also been in ongoing discussions with US government officials about Claude Mythos Preview and its offensive and defensive cyber capabilities. As we noted above, securing critical infrastructure is a top national security priority for democratic countries—the emergence of these cyber capabilities is another reason why the US and its allies must maintain a decisive lead in AI technology. Governments have an essential role to play in helping maintain that lead, and in both assessing and mitigating the national security risks associated with AI models. We are ready to work with local, state, and federal representatives to assist in these tasks.
Anthropic 也持續與美國政府官員討論 Claude Mythos Preview 及其在網路攻擊與防禦上的能力。如前所述,守護關鍵基礎建設是民主國家頂級的國家安全優先事項——這些資安能力的出現,是美國及其盟邦必須在 AI 技術上維持決定性領先的又一個原因。政府在協助維持這種領先、以及評估並緩解 AI 模型相關國安風險上扮演不可或缺的角色。我們已準備好與地方、州、聯邦層級的代表合作,協助推動這些任務。
新字:ongoing, official, offensive, emergence, decisive, assess, federal representative
We are hopeful that Project Glasswing can seed a larger effort across industry and the public sector, with all parties helping to address the biggest questions around the impact of powerful models on security. We invite other AI industry members to join us in helping to set the standards for the industry. In the medium term, an independent, third-party body—one that can bring together private- and public-sector organizations—might be the ideal home for continued work on these large-scale cybersecurity projects.
我們期望 Project Glasswing 能在整個產業與公部門之間播下一個更大規模行動的種子,各方共同處理「強大模型對安全的影響」這類重大議題。我們邀請其他 AI 業界成員加入,協力為產業設下標準。從中期看,一個獨立的第三方機構——能同時納入私部門與公部門組織——也許是這類大規模資安計畫長期發展的理想家園。
新字:seed, public sector, address, independent, third-party body
Appendix
附註
The project is named for the glasswing butterfly, Greta oto. The metaphor can be applied in two ways: the butterfly's transparent wings let it hide in plain sight, much like the vulnerabilities discussed in this post; they also allow it to evade harm—like the transparency we're advocating for in our approach.
本計畫以玻璃翼蝶(glasswing butterfly,學名 Greta oto)命名。這個比喻有兩層意涵:蝴蝶透明的翅膀讓牠能在明處藏身,就像本文討論的漏洞一樣;同樣這份透明也讓牠躲避傷害——正如我們在整個做法上所倡導的透明度。
新字:metaphor, transparent, hide in plain sight, evade, advocate
From the Ancient Greek for "utterance" or "narrative": the system of stories through which civilizations made sense of the world.
源自古希臘文,意為「話語」或「敘事」:文明藉以理解世界的故事系統。
新字:utterance, narrative, civilization
Security professionals whose legitimate work is affected by these safeguards will be able to apply to an upcoming Cyber Verification Program.
「$500B every year」「400 trillion network flows」「$100M usage credits」「27-year-old vulnerability」——大量具體數字是政策論述的標配,讓抽象議題變得有重量。A1 讀者要習慣英文中這種量化敘事。
8 家合作夥伴證言刻意排序——Cisco、AWS、Microsoft、CrowdStrike(產業龍頭)→ Linux Foundation(開源)→ JPMorganChase(傳統金融)→ Google(雲端)→ Palo Alto Networks(資安)。不是隨意安排,是從「最大規模」依序過渡到「最深度專業」,讀者會感受到「整個生態系都到齊了」。
這篇學到什麼
單字:65 個新字。最值得記:vulnerability(漏洞)、exploit(利用漏洞)、zero-day(零日漏洞)、surpass(超越)、proliferate(擴散)、mitigate(緩解)、adversary(對手)、state-sponsored(國家支持的)、attack surface(攻擊面)、come out ahead(勝出)。
句型:all but the most...(除了最...以外的全部)、對比修辭「the same capabilities that make X dangerous... make them invaluable for Y」、政策文書常用的 has/have crossed a threshold(已經跨越門檻)、in the hands of X(在 X 手中)。