I started by scanning crypto libraries and picked bc-java. Then I gave Codex a very specific prompt with standards context, forced it to deliver a runnable PoC, and ended up with a verifier behavior that looked like a downgrade-by-truncation. The report timeline and maintainer response clarified the semantics: the legacy composite OID was "either or both". Later, Mythos/Glasswing hype and CVE-2026-5588 made the pattern feel even more real: models are getting good at finding verification-policy cracks. Model quality matters, but context is king.

Curious about how Mythos — the model behind Anthropic's Project Glasswing — was finding decades-old bugs, I tried the same idea with what I already had: Codex 5.2 on medium reasoning, a small local RAG corpus of Linux kernel CVEs and C/C++ undefined-behavior notes, and a freshly cloned OpenBSD tree. After about 29 minutes of agent loops, it surfaced an unconditional pointer/length update after write() in send_data() — a write-error path that walks one byte before an mmap'd region. The fix landed upstream as a six-line guard. The lesson stayed the same: model quality matters, but context is king.