Vulnerability exposed and attacked in just 4 hours, Bloomberg column warns: The Mythos of the "Responsible Disclosure" era has ended

Bloomberg Opinion Technology Columnist Parmy Olson uses Anthropic’s most powerful model Mythos as a starting point to reveal a more fundamental cybersecurity crisis: the time from software vulnerability disclosure to exploitation has been compressed from an average of 771 days in 2018 to less than 4 hours. In her column, she points out that the real issue isn’t whether big banks can defend themselves—they have the money and people to block attacks—but that countless small and medium-sized enterprises have no defenses in the age of AI-driven agentic attacks, and the industry’s long-standing responsible disclosure model has effectively declared itself dead.
(Background: UK AI Safety Institute evaluates Claude Mythos: capable of autonomous 32-step corporate network attack simulations)
(Additional context: Coinbase, Binance seek access to Claude Mythos to enhance cybersecurity—can the strongest AI end crypto hackers?)

Table of Contents

Toggle

• A call from the Treasury Secretary and confirmation from the most neutral arbiter
• Big banks are not the problem
• The death of Responsible Disclosure
• Mythos can do what top human hackers do
• Olson’s double-edged conclusion: Anthropic has motives, but the problem is real

771 days, compressed into 4 hours. According to tracking data from zerodayclock.com, the average time from a software vulnerability being made public to an attack being possible has gone from 771 days in 2018 to less than 4 hours now. This is a compression of over 4,600 times—and this number is the shocking opening that Bloomberg Opinion tech columnist Parmy Olson chose for her latest column.

Olson’s column begins with Mythos, Anthropic’s latest flagship model, but she explicitly states that Mythos is just a symptom, not the cause. She believes that what truly awakens with this leap in AI capability is not just banks, but all organizations relying on digital systems—including the vast majority of small and medium-sized businesses that are often unaware of their own vulnerabilities.

A call from the Treasury Secretary and confirmation from the most neutral arbiter

Within days of Mythos’s release, U.S. Treasury Secretary Scott Bessent convened Wall Street leaders to confirm system defenses. Olson observes that this move created “invaluable publicity” for Anthropic, while also raising questions: “Who can get an exclusive look at its threat potential?”

Olson further mentions that the UK’s AI Safety Institute (AISI) has gained access to Mythos. She calls AISI “the world’s top neutral arbiter of what counts as safe and secure AI,” and notes that AISI’s assessment confirms some of the hype around Mythos.

AISI found that Mythos outperforms OpenAI’s ChatGPT and Google Gemini in complex network attack tasks. But Olson also highlights a key limitation: Mythos is most dangerous against “weakly defended” or “simplified” systems.

This limitation is the turning point of Olson’s entire argument.

Big banks are not the problem

Olson writes that large banks have the world’s strongest IT security infrastructure. While Bessent’s high-profile call to Wall Street leaders is notable, she believes the real vulnerabilities lie elsewhere: “the much broader array of small and medium-sized companies.”

These SMBs are the main battleground for hackers using AI tools to launch attacks.

The death of Responsible Disclosure

To understand why the situation is so urgent, Olson revisits the industry’s long-standing “responsible disclosure” model: security researchers discover vulnerabilities, notify vendors, and publicly disclose them, giving users time to patch before hackers can exploit the flaws.

Microsoft’s Patch Tuesday is a typical example—monthly security updates. IT teams at major banks like Barclays and Wells Fargo need weeks or months to test patches, get management approval, and deploy updates.

Olson points out that before generative AI, this process worked because hackers also needed a long time to analyze details and develop exploits. But she notes that two years ago, the landscape changed: hackers can now paste vulnerability details into ChatGPT, which scans GitHub for similar patterns, and almost instantly generate attack tools.

Compressing 771 days into 4 hours means the logic behind Patch Tuesday has failed. Olson explicitly questions: “whether ‘responsible disclosure’ is such a smart idea in the first place” and “whether the process of patching flaws over weeks and months is now fruitless.”

Mythos can do what top human hackers do

Olson further writes that Mythos’s unique danger lies in its ability to “chain” software vulnerabilities, executing multi-step attacks—something previously only highly skilled human hackers could do.

She uses a burglar analogy: “Like a thief planning a series of intrusion steps—finding an open window, unlocking a door from inside, and turning off the alarm. Each step alone isn’t enough, but combined, they can fully breach the system.”

This capability becomes even more dangerous with the advent of agentic AI. Olson mentions that AI companies in recent months have added agentic capabilities to models, allowing them to act independently. Anthropic’s January release of Claude Cowork can automatically send emails and schedule appointments. For hackers, agentic tools not only find vulnerabilities but also autonomously try various attack paths until successful.

Olson’s double-edged conclusion: Anthropic has motives, but the problem is real

Olson ends her column without avoiding Anthropic’s commercial motives. She writes: “Anthropic’s disclosure of Mythos certainly benefits its own publicity efforts ahead of an initial public offering, adding to the mystique around the potency of its technology.”

But she also emphasizes that this does not negate the seriousness of the issue: “But it’s also forcing a much-needed reckoning over how the window of time between published IT flaws and their exploitation has effectively vanished.”

Olson observes that even Wall Street cannot answer how responsible disclosure should be handled. Banks have the manpower and funds to push near-real-time patching. But the bigger problem is SMBs—who need to act just as quickly but lack the market’s current technological and regulatory support.

Previously, ZDNet reported on Andrej Karpathy’s 15-step personal cybersecurity checklist, a defensive framework at the individual level. Olson’s column addresses a systemic crisis at the organizational level: when vulnerabilities can be weaponized in just 4 hours after disclosure, the entire cybersecurity ecosystem built on “you still have time” assumptions must be redesigned.