I believe this has the same issue as the last article that had these claims.
We can assume that Mythos was given a much less pointed prompt/was able to come up with these vulnerabilities without specificity, while smaller models like Opus/GPT 5.4 had to be given a specific area or hints about where the vulnerability lives.
Or did they hire a team of cybersecurity specialists with the vast amount of funding at their disposal? I don't think its reasonable to assume they used none of their other resources to search for something that could be a very profitable marketing campaign.
They say the focused prompts come from a previous step where the same model "planned" how to discover bugs in said repo. So it might be something like "here's a repo, plan how to find bugs, split work into manageable chunks" -> spawn_agent("prompt" + chunk).
We can assume that Mythos was given a much less pointed prompt/was able to come up with these vulnerabilities without specificity, while smaller models like Opus/GPT 5.4 had to be given a specific area or hints about where the vulnerability lives.
Please correct me if I'm wrong/misunderstanding.