Mozilla Fixed 271 Firefox Bugs Using Anthropic’s Mythos

The recent release of Firefox 150 incorporates fixes for 271 vulnerabilities identified using early access to Anthropic’s Mythos Preview AI model. This development arrives as the cybersecurity community grapples with the profound implications of new AI capabilities for both defense and offense. Mozilla’s experience demonstrates that these tools can dramatically scale vulnerability discovery, though adapting to the resulting influx of bugs demands significant resources and disciplined focus. The organization views this intensive effort as a necessary step to protect users, recognizing that these powerful capabilities will soon be accessible to adversaries.

Anthropic and OpenAI have both recently unveiled AI models touted for their advanced cybersecurity capabilities, potentially marking a turning point in how software flaws are found. In response, the companies have initiated limited private releases and convened industry groups to evaluate the technology and develop strategies. Cybersecurity experts, however, hold divergent opinions on the ultimate impact of these advances. Mozilla’s short-term results suggest that for vulnerability hunters, the effect could be substantial.

According to Bobby Holley, Firefox’s chief technology officer, the landscape has shifted. “Our belief is that the tools have changed things dramatically,” he states, “because now we have automated techniques that can cover, as far as we can tell, the full space of vulnerability-inducing bugs.” For years, the standard approach combined automated methods like software fuzzing with manual review by internal and external researchers. Attackers possessed the same toolkit. Holley explains that certain bug categories were only detectable through costly human analysis, a barrier that defenders worked to keep high for threat actors.

Holley now describes a coming transition where all software will need to undergo a form of AI bootcamp to root out latent vulnerabilities before the capabilities become ubiquitous. He suggests companies like Anthropic and OpenAI are attempting to guide major players through this overhaul proactively. “Every piece of software is going to have to make this transition,” Holley asserts, “because every piece of software has a lot of bugs buried underneath the surface that are now discoverable.”

He characterizes this as a difficult but finite period requiring coordinated focus. “This is a transitory moment that is difficult and requires coordinated focus and a lot of grit to get through, but I think that it is a finite moment,” Holley says. He believes that, having gained a head start, the Firefox team has already “rounded the curve,” and that while more advanced models may find additional issues, the bulk of this foundational work is complete. Mozilla’s access to Mythos Preview came via direct collaboration with Anthropic, not through its larger Project Glasswing consortium.

The implications of AI-powered bug hunting are particularly significant for open source software. Projects like Firefox are widely deployed and critically depended upon globally, yet many are maintained by small volunteer teams or even single individuals. The new AI tools could expose vast numbers of flaws in these projects, creating an immense remediation burden. The situation is most acute for abandonware, software that is no longer maintained at all, leaving discovered vulnerabilities permanently unpatched.