The prompt that got Claude Fable 5 banned under export controls was 'fix this code.' Kate Moussouris at Luta Security confirms the researchers took open-source code with known CVEs, added deliberately planted vulnerabilities, and asked Fable 5, Mythos, and Opus to review and then fix the code. Fable 5 complied with the fix request. That output, after a multistep manual process, became scripts that test patches. That is the entirety of the so-called jailbreak.
Moussouris makes the core argument clearly: asking an AI to fix a bug, explain the fix, and write a confirming test is the find-fix-test loop defenders run every day. Removing that capability does not make Fable 5 safer. It makes it worse at the one job that matters most to security engineers. The prompts worked because they were defensive requests. That capability is inseparable from basic bug-fixing.
The original Luta Security post is worth reading in full because Moussouris builds the technical and policy case simultaneously. The real problem she identifies is structural: non-technical decision-makers have spent months being told that models capable of 'crafting cyberattacks' are uniquely dangerous, and they now cannot distinguish that threat from a model that patches a CVE. The regulatory logic, if extended, bans the defender's toolchain entirely.
[READ ORIGINAL →]