RELEASE: Gottheimer Praises Anthropic for Taking Action After Addressing His Concerns 

WASHINGTON, D.C. — Congressman Josh Gottheimer (NJ-5), Co-Chair of the House Democratic Commission on AI and the Innovation Economy, applauded Anthropic for taking action to address concerns raised about “Project Glasswing” and the use of non-disclosure agreements (NDAs) that had prevented participating organizations from sharing information about critical cyber vulnerabilities identified through the program.

Following Gottheimer’s letter calling on Anthropic to change course, Anthropic announced carve-outs to the program that will allow organizations to responsibly share information about urgent cyber threats with trusted partners and relevant stakeholders. Gottheimer called on all platforms to follow suit. 

“I’m glad that Anthropic has done the right thing here and made these critical changes,” said Congressman Josh Gottheimer (NJ-5). “Responsible information sharing is a cornerstone of cybersecurity. No entity should be contractually restricted from warning others, coordinating mitigations, or informing relevant and trusted stakeholders about urgent cyber risks — and Anthropic stepped up.”

“I encourage all other platforms to quickly follow suit,” Gottheimer continued. “As AI systems become more advanced, we need strong safeguards and rapid information sharing to protect against cyber threats and keep Americans safe.”

Gottheimer had previously called on Anthropic to nullify the portions of its NDA that prohibited responsible sharing of cyber vulnerability information with trusted organizations, and urged all frontier AI developers — including OpenAI and others operating similar programs — to ensure organizations can share critical cyber risk information with trusted industry partners and government agencies.

Find the full letter here and below:

Mr. Dario Amodei

CEO

Anthropic

548 Market Street

San Francisco, CA 94104

Dear Mr. Amodei:

Project Glasswing is an important step toward securing critical physical and digital infrastructure

from the cyber risks posed by your frontier AI model, Mythos. It is essential that any frontier AI

model developer building these systems acts with the utmost caution when credible

vulnerabilities are identified. My understanding is that you decided to limit Project Glasswing to

approximately forty companies, which, of course, excluded many organizations — small,

medium, and large — in a cross section of industries with vulnerabilities.

It has also come to my attention that Anthropic required the limited organizations allowed to

participate in Project Glasswing to sign a Non-Disclosure Agreement (NDA) that prevents any

information sharing with other organizations about critical cyber vulnerabilities they identified

through this process.

Given the serious risk models including Mythos pose to critical systems, I urge Anthropic to

nullify that part of its NDA and immediately allow the companies participating in Project

Glasswing to share their findings with other trusted industry partners. Doing so will help ensure

that as many entities as possible are protected against these types of cyber threats. I’m sure that

you would agree that they would all benefit from the learnings of those that have access to

Mythos to help protect their organizations from the vulnerabilities it can expose. All

foundational model developers should do everything they can to prevent malicious exploitation

and ensure that this information is shared responsibly and used to strengthen defenses.

No entity should be contractually restricted from warning others, coordinating mitigations, or

informing relevant and trusted stakeholders about urgent cyber risks. For example, a large utility

or hospital that has access to Mythos should be able to let smaller organizations in their industry

relying on similar software systems know what vulnerabilities Mythos exposed, so that they can

secure their systems, too. Of course, there should be an appropriate vetting process, but the

NDA should not be a bottleneck to these organizations being able to share with other known,

trusted organizations.

Responsible information sharing is a cornerstone of cybersecurity — one organization’s data on an attack can help others detect the same tactic earlier, reduce damage, and respond faster. As frontier AI models gain increasing cyber capabilities, the need for rapid and protected information sharing about potential vulnerabilities becomes more urgent. Any insights on the vulnerabilities that Mythos found in one company’s system can help a significant number of others that may never get access to it, or don’t have the resources to, either technologically or financially, to utilize it.

I also urge all of the leading platforms to adopt the same approach, including OpenAI for entities

involved in its Trusted Access for Cyber program. If trusted organizations participating in that

program identify serious vulnerabilities, exploit paths, or misuse risks, they must be free to share

that information responsibly, so threats can be contained before they are used by malicious

actors. No company operating at the frontier of AI should use contractual restrictions to impede

disclosure of critical cyber risk information, including, of course, with the Department of

Homeland Security and the Intelligence Community.

I look forward to your response and to continuing to work with you on this critical national

security issue. Thank you.

Sincerely, Josh Gottheimer Member of Congress

CC: The Honorable Scott Bessent, United States Secretary of the Treasury The Honorable Markwayne Mullin, Secretary of Homeland Security The Honorable Tulsi Gabbard, Director of National Intelligence The Honorable John Ratcliffe, Director of the Central Intelligence Agency The Honorable General Joshua Rudd, Director of the National Security Agency The Honorable Nick Andersen, Acting Director of the Cybersecurity and Infrastructure Security Agency Sundar Pichai, CEO, Google Mark Zuckerberg, CEO, Meta Satya Nadella, CEO, Microsoft Sam Altman, CEO, OpenAI

###