It's not an easy problem to solve. You can identify certain open source projects that you deem critical and give them access too in a private fashion (maybe even under NDA). Not every state actor will have early access; Russia and the Chinese surely won't, and that matters in current affairs. It's probably only the US gvmt, not even European allies, who currently can use Mythos. The announcement specifically says "Anthropic has also been in ongoing discussions with US government officials about Claude Mythos Preview".

There is no good solution to this. Only less bad. It annoys me a bit that many comments on HN imply that open-sourcing everything right away is the answer to everything. To be clear, I'm not annoyed at your comment specifically, it's more an overall sentiment that I perceive here that I feel is very complacent. We've already seen how OSS maintainers get overwhelmed by AI vulnerability reports; I feel it's a responsible thing to gatekeep this for as long as possible (which really is only a few months, at most - other models catch up fast), and try to work with important maintainers directly to help fix the most critical stuff and onboard them to a new world of the AI-assisted cat-and-mouse security game.

This is just damage control. The damage, i.e. the attack capabilities opened up by this, is pretty brutal, and likely requires a substantial shift in mindset from OSS maintainers. This approach gives a few months of transition time. Who decides who is an important maintainer and who isn't? Again, super grey area; there's no time to decide on a proper process given how fast other models will catch up, so realistically you can just do a bit of a best effort here and try to not botch it up entirely. Anthropic went with the Linux foundation here. It's a reasonable choice. Not a perfect one, but you gotta start somewhere.