Fable 5 is back worldwide: Anthropic resolves the crisis, launches HackerOne and partners with the US government on AI security
AI Security

Fable 5 is back worldwide: Anthropic resolves the crisis, launches HackerOne and partners with the US government on AI security

July 02, 2026·Davide Stigliani

Less than two weeks after the block that shook the entire global AI ecosystem, here comes the plot twist. On the evening of July 1, 2026, Anthropic made Fable 5 available again worldwide. In parallel, Mythos 5 has also become accessible again, not globally, but for US companies approved directly by the Trump administration. The news triggered immediate reactions across the tech community: relief from developers and companies that had built critical pipelines on these models, but also deeper questions about what actually happened, why the block lasted so briefly, and above all what changes now in the relationship between the major AI companies and the US government. To grasp the scope of this development, we need to reconstruct the sequence of events precisely.

When the Fable 5 and Mythos 5 block was announced, the prevailing narrative interpreted it mainly as a geopolitical move, an attempt by the US government to limit foreign access to the most powerful AI models. A plausible reading, but incomplete. Anthropic's official statement on July 1 reveals a more precise and technical version of what happened: the suspension was triggered by the reporting of specific flaws in the system by an Amazon security research team, one of Anthropic's main investors and cloud partners.

These vulnerabilities were not theoretical. They were concrete exploits, sophisticated jailbreak techniques that made it possible to bypass Fable 5 and Mythos 5's safety guardrails to obtain outputs the model should never have produced under any circumstances: detailed instructions to identify and exploit critical software vulnerabilities, potentially usable for cyberattacks on sensitive infrastructure. The US government, informed of these vulnerabilities, had asked Anthropic to restrict access to US users only, presumably to reduce the attack surface while the problem was being fixed. But Anthropic ran into a practical problem it could not overcome: it did not have a reliable system to verify the citizenship or residence of users accessing via API. With no way to implement that geographic restriction reliably and quickly, the company chose the most conservative path: a total global suspension.

The speed at which Anthropic resolved the situation, less than fifteen days from suspension to global restoration, says a lot about the real nature of the problem and the lab's technical capability. The security team worked in emergency mode to analyze and patch the reported vulnerabilities: the flaws identified by the Amazon team were studied in depth, classified by severity and addressed with updates to the guardrail and output filtering systems. This kind of work demands extreme precision, because a patch that is too aggressive needlessly degrades the model's capabilities, while one that is too permissive leaves the vulnerability open.

In parallel, Anthropic worked with Amazon and Google to develop a shared framework to evaluate the severity of jailbreaks. This is not a temporary patch, but the construction of a systematic methodology that will make it possible in the future to classify AI vulnerabilities with the same rigor cybersecurity uses to classify CVEs, Common Vulnerabilities and Exposures. To meet the government's requests around Mythos 5, still subject to restrictions for non-US users, Anthropic deployed more robust identity and residence verification systems, which now allow selective geographic restrictions without needing to resort to a total suspension.

There is one element of the story that deserves particular attention, and that reframes the entire narrative of the block. In its post-incident research and investigations, Anthropic reached a conclusion that changed the picture substantially: the same vulnerabilities found in Fable 5 and Mythos 5 were present, or reproducible, in other less powerful models as well. Claude Opus 4.8, GPT-5.5 and Kimi K2.7 were all exploitable with similar techniques to produce the same dangerous outputs. This finding had two immediate and direct implications. The first is strategic: keeping Fable 5 blocked while equivalently vulnerable models remained available did not reduce risk in a meaningful way. A malicious actor who wanted to exploit these capabilities had easily accessible alternatives, and the selective block on Fable 5 had become a symbolic gesture rather than an effective security measure. The second is systemic: the problem was not specific to Anthropic or Fable 5, it was a structural problem of the entire frontier model category, a vulnerability that required a coordinated industry-wide response, not a unilateral action by a single lab. This analysis probably convinced the US government that the Fable 5 block was not achieving its stated objective, opening the way to restoring global access.

The most significant announcement in the July 1 communication is not the return of Fable 5. It is the launch of Anthropic's HackerOne program, a formal bug bounty program dedicated specifically to the security of AI models. HackerOne is the world's best-known platform for responsible disclosure programs in traditional cybersecurity, used by Google, Microsoft, Apple and hundreds of other tech companies to let independent security researchers report vulnerabilities in exchange for financial rewards. Applying this model to AI security is a significant step that deserves detailed analysis.

The mechanics are clear. Security researchers, both professionals and independent researchers, are invited to responsibly discover and report new jailbreak techniques and vulnerabilities in Anthropic's models. In exchange they receive financial rewards proportional to the severity of the vulnerability, with prizes for the most critical vulnerabilities in the tens of thousands of dollars, public recognition in the program's hall of fame and direct engagement with Anthropic's security team for the technical discussion of the vulnerability.

AI model security has traditionally operated in a relatively closed way: labs developed red teaming techniques internally, tested their models privately and managed vulnerabilities without a formal structure of engagement with the external community. This approach has clear limits: internal teams have blind spots, limited perspectives and inevitably miss vulnerabilities that fresh, diverse eyes could find quickly. The HackerOne model turns AI security into a collective effort, mobilizing the distributed intelligence of thousands of global researchers competing to find vulnerabilities before they can be exploited by malicious actors. It is exactly the model that has made traditional cybersecurity significantly more robust over the last twenty years, and its application to AI has long been expected by industry experts.

The other structurally significant announcement is the collaboration between Anthropic, Amazon and Google to develop a shared framework to evaluate the severity of jailbreaks in frontier AI models. Until now, each AI lab has evaluated its own model vulnerabilities using proprietary, non-standardized criteria that were not comparable across companies. There was nothing equivalent to the CVE system of traditional cybersecurity, a common framework that made it possible to classify vulnerabilities on a shared severity scale, communicate them in a standardized way and coordinate responses across different organizations.

The framework will define severity categories for jailbreaks, likely on a scale similar to the CVSS used in cybersecurity, based on criteria such as the type of harmful output the vulnerability allows, ease of exploit, availability of mitigations and the breadth of the attack surface. With a shared framework, when a researcher finds a vulnerability that affects multiple models from different companies, as with the flaws found in Fable 5 that were reproducible on GPT-5.5 and Kimi K2.7, there will be a formal process to coordinate with all the labs involved before making the vulnerability public. Over time, the framework will likely become the basis for AI security standards adopted more broadly, and it could integrate with regulatory frameworks like the European AI Act, which requires security assessments but does not yet specify in detail how to conduct them.

It is worth clarifying an important distinction the news made evident: Fable 5 and Mythos 5 did not receive the same treatment in the July 1 statement. Fable 5 is available globally again, for all users, in all countries, with no geographic restrictions. Anthropic and the US government assessed that, after the security patches and given the finding that equivalent vulnerabilities existed in other models that remained accessible anyway, there were no longer sufficient reasons to keep the global block. Mythos 5 is on a different path: it remains subject to access restrictions, available to US companies approved by the Trump administration but not yet to the global public. This differentiated treatment suggests that Mythos 5 has specific characteristics, likely related to particularly advanced capabilities in sensitive domains, which in the government's assessment justify tighter control even after the immediate technical vulnerabilities have been resolved. For European and international companies, this means that access to Mythos 5 remains uncertain in the short term, one more reason to build application architectures that do not depend on a single model.

The full arc of Fable 5, from launch to block to restoration in less than three weeks, contains lessons that go well beyond Anthropic's specific case. AI security cannot be an afterthought: the sequence of events shows that vulnerabilities in frontier AI models can have immediate and serious operational consequences, from service blocks to geopolitical crises and revenue losses, and security must be integrated into the development cycle from the start, not added as a final layer before release. Transparency is a resilience strategy: Anthropic managed the crisis relatively transparently, communicating the reasons for the block, acknowledging the vulnerabilities and announcing corrective measures, and that transparency helped limit reputational damage and preserve the trust of developers who depend on its models.

Cooperation between competitors is possible and necessary: the fact that Anthropic, Amazon and Google are collaborating on a shared security assessment framework, despite being direct competitors, shows that there are areas where cooperation produces collective benefits that outweigh the competitive advantages of siloed work. It is a model the industry should extend to other areas, from safety research to technical standards to incident response. Dependence on single cloud models is a real operational risk: for companies whose pipelines stopped with the Fable 5 block, this episode was a costly lesson on the fragility of depending on a single AI provider. Operational resilience requires multi-model architectures, fallbacks to alternative models and, where possible, local AI components like those enabled by projects such as DwarfStar.

With Fable 5 back and the governance structure Anthropic announced, the AI industry enters a new phase, characterized by an institutional maturity that was previously absent. The HackerOne bug bounty program turns AI security into an open, collaborative ecosystem, the shared framework with Amazon and Google lays the groundwork for an industry standard comparable to the CVE system, and the relationship between frontier labs and the US government is articulating itself into a structured dialogue rather than unilateral decisions. For European developers and companies, three concrete operational takeaways remain: assess your exposure to single AI providers today and design architectures with multiple fallbacks, monitor the evolution of the shared framework because it will soon become a reference for AI Act compliance, and seriously consider local AI components for workloads that handle sensitive data. The lesson of these three weeks is clear: frontier model security is no longer a technical topic reserved for labs, it has become critical infrastructure for digital business, and it must be designed with the same seriousness we bring to business continuity, disaster recovery and traditional cybersecurity.