[Bug] Anthropic API: Overly broad cybersecurity classifier flags defensive vulnerability redaction as offensive content

Open 💬 0 comments Opened Jun 9, 2026 by zcor

Bug Description
Subject: False positive — cybersecurity classifier downgraded a model mid-incident during defensive, urgent redaction work

Summary: During an active security incident, a safety classifier flagged a request and downgraded me from the requested advanced model to a slower one, with a message indicating the prompt was flagged for
cybersecurity. The task was defensive: removing an already-published exploit description from our public website at the affected client's request, because the vulnerability class still touches live funds. The
classifier appears to have read "content about a vulnerability" as offensive intent, when the actual task was taking attack information down as fast as possible. This added friction and risk during a time-sensitive
incident.

What we were doing:

  • A vulnerability finding (resolved before the contract was deployed) had been published in a client case study and audit report with full mechanism detail.
  • The client flagged that the same class of behavior still affects live, deployed pools, and asked us to remove/obscure the public description urgently.
  • The work was purely removal and redaction of already-public content — stripping a reproduction recipe, line numbers, formulas, and dollar figures — plus taking the pages offline. No new exploit content was Why this is a false positive:
  • The intent was defensive and prosocial: reduce a live attack surface, at the data owner's request.
  • The operation was deletion/redaction, not generation. A classifier that can't distinguish "remove these attack instructions" from "produce attack instructions" will systematically penalize defenders and incident

responders.

  • The trigger was topical (the text was about a vulnerability), not behavioral. Security work is unavoidably about vulnerabilities; topic-based flagging makes the assistant least useful exactly when defensive

urgency is highest.

The concrete cost:

  • A mid-task model downgrade during a live incident, which both slowed the work and dropped working context at the worst moment — when the priority was speed.
  • This is the friction-on-defenders failure mode: the people most disadvantaged by an over-broad cybersecurity classifier are the ones doing legitimate defensive and remediation work under time pressure.

What we'd ask for:

  • Treat removal/redaction of already-public security content as distinct from generation of new offensive content in the classifier.
  • Weight task intent (defensive incident response, owner-authorized) alongside topic, rather than flagging on the presence of vulnerability terminology alone.
  • Avoid mid-task model swaps when work is already in flight; if a flag fires, prefer a confirmation path over a silent downgrade that discards context. We had cybersecurity access for prior versions, how can we register for new version ASAP?

Environment Info

  • Platform: darwin
  • Terminal: iTerm.app
  • Version: 2.1.170
  • Feedback ID: 4e6d1e8f-2441-488e-90da-308a259aed52

Errors

[]

View original on GitHub ↗