At wolfSSL, we do an incredible amount of testing. Some of it is visible, some of it is not. You can see our GitHub Actions run on every pull request, and behind that we have a private Jenkins setup doing more extensive testing across multiple platforms, some of it on hardware physically sat in one of our offices.
Then we have static code analysis and fuzz testing. Pretty much every tool you can think of, we probably already use. We also have incredibly powerful home-grown AI powered static analysis tools called Fenrir and Skoll, with a third AI powered testing tool coming soon. We hand write our code, but we embrace AI powered tooling for testing it. Because if we do not, a bad actor will.
The next layer of our Testing Rainbow is eyeballs. Our code is reviewed internally by peers and externally by security researchers and industry experts. It also goes through multiple audit processes for compliance. When something is found, we react fast. We have a mean time between report and fix of 36 hours.
All of this matters because wolfSSL alone is around 2,000,000 lines of code, and that is before you count our other open source projects and language wrappers.
Recently there has been a lot of buzz around Claude Mythos Preview, Anthropic’s new frontier model for finding vulnerabilities in critical software, and some healthy speculation over whether it is really as good as the claims suggest. We have been talking to Anthropic over the last few weeks, and they pointed Mythos at wolfSSL. Their findings generated 8 CVEs and triggered the release of wolfSSL 5.9.1. We already spend thousands of dollars a month testing with Opus and other models, and none of them found what Mythos did.
So, is Mythos as good as the hype? On our codebase, yes. It found real issues that slipped past every other layer of Rainbow of Testing, and our users now have a stronger wolfSSL because of it. If you are running wolfSSL in production, grab 5.9.1 now. And if you are building critical software and have not yet thought about AI powered vulnerability discovery on your own code, now is the time, because the other side already has.
We would like to thank Nicholas Carlini and the team at Anthropic for running Mythos against our code and for working with us through the disclosure process.
If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.
Download wolfSSL Now