About this dashboard
Anthropic uses Claude to discover security vulnerabilities in widely used open-source software. When a finding is validated, the affected project's maintainers are notified privately and given time to issue a fix before details are made public consistent with the timelines provided in our Coordinated Vulnerability Disclosure policy. This site summarizes the program's progress as of May 22, 2026.
The following are the external security research firms that work with us to triage Claude's vulnerability findings and notify project maintainers. Additional detail on their analysis will follow in subsequent dashboard updates.
| Term | Definition |
|---|---|
| Candidates | Every distinct crash or vulnerability hypothesis that Claude produced across the program, before any triage. |
| True positive rate | The share of firm-reviewed findings confirmed as real, including duplicates and "won't fix" findings. |
| Total reported to maintainers | A finding whose report has been sent to the project maintainer. |
| Acknowledged by maintainer | The maintainer has responded to the report. The count of these findings reflects the fact the OSS maintainers are experiencing a higher volume of inbound security findings. Our teams reach out to maintainers based on the severity of the findings and existing maintainer volume. |
| Patched upstream | A patch has landed after the report was sent. |
| Security advisories published | A CVE or GHSA identifier assigned to a finding. Identifiers themselves are listed once the finding's disclosure window has closed. |
| Disclosure window | See Anthropic's Coordinated Vulnerability Disclosure policy. |
| Commitment hash | A SHA-3-512 hash of the finding, published when the disclosure clock starts. |
| Ledger | The append-only record of commitment hashes and their reveal state. |
| Severity | The assessor's rating of impact (critical, high, medium, low). |
| Bug class | The vulnerability category. |
The commitment hash is the SHA-3-512 digest of a canonical JSON document. The document has sorted keys, no whitespace between tokens, and is encoded as UTF-8. It contains the finding identifier, project, creation time, title, bug class, target commit, location, discovery time, Claude's and the security research firm's severity assessments, the description, technical details, reproduction steps, and the SHA-256 of the proof-of-concept artifact. Fields not known at approval time are recorded as null. To verify, download the preimage JSON from the finding card and confirm that its SHA-3-512 digest matches the commitment hash published on the ledger.
Once a finding's disclosure window closes, its identifier in the ledger links to a finding card. A card shows the project, bug class, and severity. When the report body carries substantive content, the card also shows the vulnerability report that was sent to the maintainers. Every card links to any assigned advisory and shows the commitment hash with its preimage JSON, so that the published card can be verified against the ledger entry that committed to it.