Mozilla released that they used Anthropic Mythos to identify over 250 bugs/vulnerabilities.
Given that all our passwords are stored in Bitwarden, it would be nice if Bitwarden used AI (such as Mythos) to identify bugs and vulnerabilities. As AI becomes more powerful, individuals and foreign nation-state actors will utilize AI to try to get into vaults.
If Bitwarden isn’t the first to use it to identify vulnerabilities, its competition will be. Would be nice for Bitwarden to be at the forefront of this.
This entry shows up quite often when looking at Bitwarden’s GitHub. Chekmarx One describes itself as “AI-powered Application Security Testing Platform”. So, it appears as if Bitwarden is thinking along the same lines as you.
Unfortunately, the name “Checkmarx” is also showing up prominently in the recent supply chain incident to which Bitwarden fell victim, which may end up playing right into the hands of the AI-naysayers.
Real vulnerabilities in coding, workflow, deployment, etc., need to be fixed, even if (or especially if) they’re identified by AIs. It’s the people who have to deal with AIs’ not-so-real, not-so-important but endless reports of vulnerabilities who need to be pitied.
Anthropic said Claude Mythos Preview was effective at finding serious vulnerabilities, and Mozilla later said Firefox 150 included fixes for 271 vulnerabilities found during an early Mythos evaluation.
Since Bitwarden protects very sensitive user data, I’d be interested to know whether Bitwarden evaluates similar AI-assisted security testing as part of its process.
It’s open source. You’re more than welcome to use LLMs to identify bugs and submit them to HackerOne. We have had several submissions that are AI assisted, but I suspect it’s not as “full of holes” as you may think.
Just a small clarification: I don’t think Claude Mythos Preview is something individual researchers can simply access and use through HackerOne.
As Anthropic described it, it’s a restricted-access model being offered to selected organizations under Project Glasswing.
So my suggestion wasn’t that community members should use Mythos to submit reports, but rather that Bitwarden itself could evaluate this type of AI-assisted security testing as part of its internal process.
