The math doesn't add up. They say they found more than 20k vulnerabilities, then it decreases to 1700 high or critical, then this number becomes 175 (when Claude didn't reassess the CVE severity) and over 500 later on. Then they say they confirmed 800 vulnerabilities... what happened to the 20k figure?

Plus, they also mention they check if fixes are available for the bugs they found. What are the chances they are re-reporting old bugs just to inflate their numbers? Bugs that were already fixed?

And how can we be sure their reassessment is not artifically increasing the severity of the CVEs found just to create FUD and sell their product?