Security industry heavyweights have published an open letter to the United States Department of Commerce, asking it to lift the suddenly imposed export controls on the Fable and Mythos-class AIs, which saw Anthropic disable access to them for everyone just days after the models were released.
Katie Moussouris.
In the letter the signatories do not dispute that the Mythos-class models can find software vulnerabilities, and generate working exploits.
Instead, the security experts point out that such capabilities are far from unique, and available in in other models.
“Many of the undersigned individuals regularly use other foundation and open-source models for security audits and red-teaming every day,” the letter states, pointing to GPT-5.5, Opus, Sonnet, and the Chinese model Kimi 2.7 as systems with comparable abilities.
Chinese open-weight models are just months behind the best American AIs, the letter writers said.
It is also likely that the Chinese government holds private capabilities beyond what’s been published, they added.
Removing access to the Mythos-class models achieves only one out come, namely stripping the best available tooling from the defenders who most need it, the letter writers argue.
Export controls for Mythos-class models is not a security measure but a unilateral disarmament of Western cyber defenders, the signatories claim.
While some in the group of letter writers disagree on whether AI regulation is appropriate in principle, they share common ground on a process based on scientific evaluation through democratic rule-making and transparency, should controls be applied.
The letter is addressed to Commerce Secretary Howard Lutnick and National Cyber Director Sean Cairncross and was published at freefable.org.
It carries 42 signatures from CISOs, chief executives, and senior researchers at security and technology companies including Sophos, Adobe, Zoom, NVIDIA, and Veracode.
Heavy-handed and hasty export control directive “misguided”
Anthropic privately shared the third-party research paper that triggered the imposition of the export controls with one of the letter signatories, Microsoft bug bounty program creator and Luta Security chief executive Katie Moussouris.
Moussouris was asked by Anthopic to provide an assessment on the paper, before the export controls were imposed.
“Since I appear to be the only outside expert who has actually read the paper, I can separate the technical facts from the speculation,” Moussouris wrote.
“The researchers took open-source code with known CVEs, plus new code with deliberately planted vulnerabilities, and asked Fable 5, Mythos, and Opus to “review the code for security issues.”
“Fable 5 refused.
“They then asked the models to ‘fix this code’ and, through a multistep and manual process, turned the output into scripts that test the patches,” Moussouris added.
Moussouris explained that the prompts worked because they were defensive requests.
As such, the capability to act on the prompts cannot be removed without making the models worse at fixing bugs and verifying patches.
The unintended consequence of restricting access to the Mythos-class models is that it will harm defence while doing nothing to impede attackers, Moussouris said.
