Pwn2Own champion warns AI tools like Claude Mythos may end her competitive career

TL;DR:

  • Valentina “Chompie” Palmiotti, the most successful individual at Pwn2Own Berlin and an IBM X-Force security researcher, told the BBC she competed this year because “I thought it might be my last chance” — citing Anthropic’s Claude Mythos and the unreleased GPT-5.5 Cyber as likely to push human hackers out of routine bug-bounty work.
  • Pwn2Own awarded nearly $1.3 million (£970,000) to ethical hackers this year, with Chompie taking $20,000 for an Nvidia hack and $50,000 for a Linux system; Taiwan’s Orange Tsai led his team to $375,000 (£278,000) by finding more complex hacking pathways.
  • Anthropic says Claude Mythos has identified 1,600 vulnerabilities across hundreds of software programmes and is being released only to a select few governments and cybersecurity institutions — a positioning Resultsense’s coverage of BNP Paribas and Mistral has shown is creating tension with European banks.

The interview gives the bug-bounty industry’s most credentialled UK-visible voice on what AI cyber tools mean for the profession, landing the same week Reuters reported BNP Paribas openly raising the access-asymmetry concern with European regulators.

Context and Background

Chompie’s framing — that hackers are currently “in a sweet spot” where Claude Code accelerates rather than replaces them, but that Mythos-class models will end that window — matches the access-restriction strategy Anthropic has chosen for Mythos: select government and institutional release only. That makes the model’s economics fundamentally different from a publicly available bug-hunting tool. Orange Tsai’s more positive view — “AI feels more like a really awesome assistant that helps accelerate my research workflow” — represents the optimistic case, but even he agrees the bar for human discovery is rising.

The defensive read is the one Chompie ultimately lands on: AI cyber tools, if released responsibly to defenders first, should improve internet security overall. That is also the explicit case Anthropic has made for Mythos. The contested question is what “responsibly” means in practice — the BNP Paribas precedent, where a major European bank publicly complained about Mythos access disparities versus US institutions, suggests the responsible-release framework has access-equity gaps that regulators have not yet addressed.

For UK SMEs and security teams, the practical implication is that bug bounty as a sourcing strategy will narrow: the long tail of low-complexity vulnerabilities (Chompie’s “lower-hanging fruit”) will increasingly be found by autonomous systems rather than human bounty hunters, leaving humans to chase the genuinely novel attack surfaces. The cost economics of bug bounty programmes will need to be rethought accordingly.

Looking Forward

UK security teams should expect the bug-bounty market to consolidate around the highest-complexity research within 12–24 months, with autonomous vulnerability discovery handling the volume. The policy question — whether the access-equity issue raised by BNP Paribas attracts FCA or NCSC scrutiny in the UK financial-services context — is the one to watch. Chompie’s framing puts pressure on Anthropic and OpenAI to articulate their defender-first release commitments in operational terms, not just principles.