Home/ Blog/ Security news/ Article
Blog · Security news

Washington export-controlled an AI for finding bugs. Your oldest code is the soft target.

The US used export-control powers to pull a frontier AI model that finds software bugs at scale. Here is what machine-speed vulnerability discovery means for

Grid of sealed stone tablets with one cracked open and glowing faintly
By Noam Alum · ·Security news · 7 min read Mitigate now

The US government did something on June 12 that it had never done to a commercially deployed American AI model: it used export-control authority to cut off foreign access to one. The trigger was not training data, bias, or privacy. It was that the model is unusually good at finding software vulnerabilities. That single fact, more than the dramatic headlines about classified systems, is what a security team should sit with this week.

The same capability that prompted a federal shutdown is now being pointed at open-source code to repair it. Both halves of that sentence are true at once, and together they change the math on how fast latent bugs surface and how quickly you have to close them.

What actually happened

On June 12, 2026, at 5:21pm ET, Anthropic received what it called an export-control order from Washington, justified on national-security grounds, that halted every foreign national's access to its two strongest models, Fable 5 and Mythos 5, whether the user sat inside the country or outside it. There is no workable way to confirm the citizenship of each person at request time, so rather than risk breaching the order the company switched both models off for its whole customer base. Its remaining models kept running. Fortune and TIME both covered the order and how far it reached, down to Five Eyes allies and the company's own staff who are not US citizens.

The reason behind the order matters more than the outage it caused. Officials moved after they were shown a way to get past the guardrails that hold back the model's offensive security skills. Anthropic called that bypass a narrow one and pushed back in public, arguing that yanking a shipped model over a single trick would, as a general rule, freeze future releases for the whole field. You do not have to pick a side in that fight to catch the signal under it: a regulator judged a model's knack for finding flaws to be a national-security item, the sort of thing that normally sits behind an export license.

A louder claim rides along with this story, and it needs a plain caveat. Security Affairs, pointing to The Economist and a Senate Intelligence Committee hearing, reported that Senator Mark Warner described testimony from General Joshua Rudd, who runs both the NSA and Cyber Command, that the model had cracked nearly every classified system put in front of it within hours rather than weeks. That account is not confirmed. It reaches us secondhand through a hearing, not through any technical writeup, and the outlet carrying it flags the gap itself. Read it as the politics that drove the order, not as a settled finding about what the model did.

The jailbreak was mundane, and that is the whole problem

By Anthropic's own description, the bypass the government flagged amounts to pointing the model at a chosen codebase and telling it to repair whatever is broken. Read that twice. The instruction that supposedly unlocks the dangerous behavior is the same instruction you would hand a defensive tool. Find the bugs in this code. There is no clean line between the offensive use and the defensive one, because they are one operation aimed in two directions.

That is why the lever the government reached for was access, not alignment. You cannot safety-tune away "find vulnerabilities in this code" without breaking the legitimate reason anyone wants a cyber-capable model in the first place. So the control becomes who is allowed to run it. The uncomfortable corollary for defenders: access controls are exactly the kind of boundary that leaks. A jailbroken, fine-tuned, or quietly exfiltrated frontier model does not respect a citizenship check. The export directive raises the cost of access for a nation-state, but it does not remove the capability from the world.

Machine-speed patching is already running in production

The defensive half of this is not a forecast. OpenAI stood up a program named Patch the Planet, run alongside Trail of Bits and HackerOne, that walks an open-source project all the way from a raw finding to a fix that ships, and it paired the effort with a defender-only release of GPT-5.5-Cyber. On the CyberGym benchmark that model scores 85.6 percent, a few points clear of the 81.8 percent its general-purpose sibling manages. The opening week tells the story better than any benchmark does: across 19 projects the work turned hundreds of raw findings into 64 proposed code changes, of which 37 were accepted and merged, each one passing a human reviewer first.

These programs turn up real bugs in real software. By OpenAI's account, one of its models surfaced a WebAssembly bug, now CVE-2026-8390, in time for Mozilla to ship a fix just ahead of the Pwn2Own Berlin contest, and GPT-5.5-Cyber read its way through over thirty million lines of code, picked out the security-sensitive parts, and confirmed a batch of them by running them. The figure worth keeping is not any single CVE. It is the throughput: a machine reading tens of millions of lines and handing back validated, patchable findings on a clock no human review team can hold.

Why "old and stable" is no longer the same as "safe"

For two decades, defenders have leaned on a quiet heuristic: code that has been in production for years, widely deployed and rarely touched, is probably fine because someone would have found the bug by now. That assumption was always a bet on attacker effort. It is now a bad bet.

When a model can read an entire codebase in one pass and do it for thousands of codebases, the cost of looking drops to near zero, and the bugs that survived because nobody bothered to look start coming out. The reported example in this story is a flaw in OpenBSD said to be 27 years old. Whether or not that specific number holds, the pattern is the one to plan around. Your oldest, least-maintained dependencies, the ones with no active security team and no recent release, are the soft target, because they are where latent bugs have accumulated undisturbed and where a fix, if one is even produced, will land slowly.

This cuts both ways, and that is the genuinely hard part. The same scan that lets a maintainer fix a 27-year-old bug lets an adversary find it first. Defenders mostly get the gated, human-reviewed, "trusted access" version of these tools. An attacker who has jailbroken or stolen one gets the ungated version with no pull-request review slowing it down. The asymmetry favors whoever automates discovery and weaponization fastest, and right now that race has no referee.

What to do this week

You cannot patch an AI capability shift. You can get your patch and dependency posture ready for the volume it is about to produce.

  • Rank your dependencies by age and maintenance, not just by CVSS. Pull your software bill of materials and sort for the packages that have not shipped a release in years and have no funded security team. Those are the ones most likely to get a freshly discovered, slowly patched bug. Triage them before the CVE lands, not after.

  • Build the pipeline for throughput. A patch process tuned to a handful of critical CVEs a month will not absorb a wave of mid-severity findings in long-stable code. Pre-stage change windows, automate the testing path, and decide now how you will prioritize when ten plausible patches arrive in a week instead of one.

  • Expect the surge in old open-source code first. The early findings from these programs cluster in widely used libraries and system code, not in last month's release. Tell your team that a CVE in a dependency you have run untouched for a decade is now a normal event, not an anomaly.

  • Treat access to cyber-capable models as a control surface. Inventory which frontier models your developers and your vendors can reach, and how. The export directive is a reminder that who can run these tools is the thing regulators and adversaries both care about. Your third-party risk reviews should start asking it too.

The line that just moved

The headline-grabbing claim in this episode is unverified, and may stay that way. The verifiable part is enough on its own. A government treated a commercial model's vulnerability-finding skill as a weapon worth export-controlling, and in the same month a competing lab put nearly the same skill to work fixing open-source software at machine speed. Both events point at the same near future: latent bugs in old code surface faster than they used to, the boundary on who can find them is access rather than capability, and access is the boundary most likely to fail. Plan your patch program for the world where looking is cheap, because it already is.

Topics
AI & LLM securitySupply-chain attacksPatch management

Frequently asked questions

Why did the US government suspend access to Anthropic's Fable 5 and Mythos 5 models?

The government issued an export-control directive on June 12, 2026 citing national security, after learning of a technique to bypass the safeguards that gate the model's cybersecurity abilities. Anthropic disabled both models for all customers to comply, since real-time nationality checks were not practical, and called the cited jailbreak narrow.

Did an AI model really break into NSA classified systems?

That claim is unverified. It comes from Senate testimony relayed by Senator Mark Warner citing General Joshua Rudd, and the outlet that reported it states plainly it is not independently confirmed. Treat it as the political context behind the export directive, not as an established technical fact.

What is OpenAI's Patch the Planet initiative?

Patch the Planet is an OpenAI program, built with Trail of Bits and HackerOne, that uses its GPT-5.5-Cyber model to take open-source projects from vulnerability finding to merged fix. In its opening week it produced hundreds of findings, 64 pull requests, and 37 merged patches across 19 projects, with humans reviewing each change.

How does AI-driven vulnerability discovery change patch management?

It collapses the cost of looking, so latent bugs in old, widely deployed code surface far faster than human research found them. Defenders should rank dependencies by age and maintenance status rather than only by CVSS, and tune their patch pipeline for a higher volume of findings rather than the occasional critical CVE.

Why is old, stable open-source code now a bigger risk?

Stable code was considered safe because attacker effort to find new bugs was high. AI scanning drops that effort to near zero across thousands of codebases at once, so bugs that survived only because nobody looked now get found. Unmaintained dependencies with no security team and no recent release are the most exposed.

What should security teams do in response right now?

Pull your software bill of materials and prioritize the oldest, least-maintained dependencies for review before a CVE lands. Build a patch pipeline that can absorb volume, with pre-staged change windows and automated testing. Inventory which frontier AI models your developers and vendors can access, and add that question to third-party risk reviews.

Keep reading
Security news

GitLab patched a no-login flaw that can hijack a user's session. Self-hosted servers are the exposed ones.

GitLab's June 24 release fixes 14 flaws, including an unauthenticated cross-site scripting bug. GitLab.com is already patched; self-managed instances must

Noam Alum · Jun 25, 2026
Security news

A free GitHub account can push code as a trusted maintainer. Upgrading actions/checkout won't fix it.

Cordyceps lets anyone with a free GitHub account run code as a maintainer on 300+ repos. Why upgrading actions/checkout closes one door, not the others.

Noam Alum · Jun 25, 2026
Security news

Two flaws in Unraid's control panel let a logged-in user seize the whole server

Two command injection flaws in Unraid's web panel, CVE-2026-9772 and CVE-2026-9773, let any logged-in user run code as www-data. Both are fixed in version

Suriq's Jack · Jun 25, 2026

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.

Request access Meet the clan