Thanks Graham. I'll summarise for people here who might not want to follow the Reddit thread.
Another of Devansh's claims repeated in El Reg, that "the Linux kernel bug" was found by Opus 4.6 not Mythos Preview, is also wrong. The Carlini/Anthropic article from 7 April makes it clear that Mythos Preview found multiple Linux kernel vulnerabilities! This comes from Devansh misunderstanding this post by Michael Lynch: https://mtlynch.io/claude-code-found-linux-vulnerability/
Devansh is also incorrect in his claim that all five exploits listed by Lynch were found by Opus 4.6 - Lynch makes no claim about what model was used, and by looking at the commits you can see the third one ("futex: Require sys_futex_requeue() to have identical flags") was found by Mythos Preview: Carlini's 7 April report includes "see, e.g., commit e2f78c7ec165 patched last week". https://github.com/torvalds/linux/commit/e2f78c7ec1655fedd945366151ba54fcb9580508
Looking at the dates on the other commits, I think at least one other was found by Mythos Preview too.
The weird thing is that other parts of Devansh's substack post actually get the Calif/Anthropic distinction correct. So I just cannot understand how he looks in Calif's GitHub repo and attributes the work to Carlini unless - and the writing style and theme of the blog suggests this might well be the case - it was substantially written by AI. My sneaky duck senses are very strongly tingling on that, in fact. It would be ironic if a journalist writing an article about AI not being so scary after all has been misled by an AI in the process...
Since Devansh doesn't add any original and just regurgitates other stuff (often inaccurately) it's a shame the journo didn't go straight to Devansh's cited sources and quote them instead. Would have saved stuff getting corrupted in the pass-the-message telephone game.
