Mozilla — 271 Vulnerabilities Found in Firefox 150 by Claude Mythos Preview

AI relevance: Anthropic's Claude Mythos Preview identified 271 security vulnerabilities in Firefox 150 — bugs that had survived decades of human audits, aggressive fuzzing, and open-source scrutiny — signaling a fundamental shift in how AI models are transforming defensive vulnerability research.

What happened

• Mozilla's Firefox team has been using frontier AI models for security audits since February 2026, starting with Anthropic's Opus 4.6 which found 22 security-sensitive bugs in Firefox 148.
• An early version of Claude Mythos Preview was then applied to the Firefox codebase, resulting in fixes for 271 vulnerabilities shipped in Firefox 150.
• Mozilla's Bobby Holley describes the team's reaction as "vertigo" — for a hardened target like Firefox, even a single finding would have been a red-alert event in 2025.
• The team found no category or complexity of vulnerability that humans can find that Mythos Preview cannot — the model performs at the level of elite human security researchers.
• Mozilla notes the model has not yet found bugs beyond human capability, but closing the gap between machine-discoverable and human-discoverable bugs erodes attackers' long-term asymmetric advantage.
• The previous security paradigm — making exploits expensive enough to deter casual use — is becoming obsolete when AI makes all discoveries cheap.
• Mozilla's approach involved reprioritizing everything else to focus single-mindedly on fixing the AI-discovered findings at scale.

Why it matters

• The finding that AI can match elite human researchers in source-code vulnerability discovery across all complexity levels marks a qualitative shift in AI-assisted security auditing.
• Organizations running hardened, internet-facing software should expect that any unpatched vulnerability discoverable by an expert human is now equally discoverable by AI — compressing the window for zero-day exploitation.
• AI vulnerability discovery creates a defensive advantage at scale: defenders can audit their entire codebase continuously, while attackers still need to find just one entry point.
• The open-source ecosystem faces asymmetric risk — source code is publicly available for AI scanning by attackers, while many OSS projects lack the resources for comparable defensive audits.

What to do

• Integrate AI-assisted vulnerability discovery into your security development lifecycle — the Mozilla experience shows the ROI is immediate and dramatic.
• Accelerate patching cadences: the window between discovery and exploitation is collapsing as AI lowers the barrier for attackers.
• Open-source maintainers: treat AI scanning as a baseline expectation. Projects that don't proactively audit with AI tools will be found by attackers first.

Sources

• Mozilla Blog — The zero-days are numbered
• Mozilla Blog — Hardening Firefox with Anthropic Red Team
• Anthropic — Mythos Preview technical report