Mozilla’s Firefox 150 release includes fixes for 271 vulnerabilities identified using early access to Anthropic’s Mythos Preview AI model.
The discovery marks a significant increase from the 22 security-sensitive bugs found in Firefox 148 using Anthropic’s Opus 4.6 model earlier this year.
Mozilla CTO Bobby Holley described the scale of findings as causing “vertigo” for the Firefox team, noting that just one such bug would have triggered a red-alert response in 2025.
Despite the overwhelming volume, Holley emphasized that none of the vulnerabilities identified by Mythos were beyond the capability of elite human researchers to discover.
The AI tool effectively closed the gap between machine-discoverable and human-discoverable bugs, eroding attackers’ long-term advantage by making vulnerability discovery significantly cheaper.
Holley stated that while the immediate impact feels terrifying, the development is ultimately positive for defenders, giving them a chance to win decisively in the ongoing cybersecurity battle.
He argued that the industry has historically fought security to a draw, but AI tools like Mythos shift the balance by making exploits so expensive to develop that only actors with unlimited budgets could afford them.
The Firefox team had to reprioritize all other work to address the flood of bugs, describing the effort as requiring relentless and single-minded focus.
Holley dismissed concerns that future AI models will uncover entirely new forms of vulnerability beyond current comprehension, stating such fears are unfounded based on their testing.
Mozilla views the current moment as transitory but finite—a necessary bootcamp for all software to undergo before AI capabilities become more widely available.
The company continues to use defense-in-depth strategies, including sandboxing websites in separate processes and leveraging Rust to mitigate common vulnerability classes.
Despite adopting Rust industry-wide, Mozilla acknowledges it cannot afford to rewrite decades of C++ code, limiting the language’s impact on legacy components.
An internal red team remains tasked with staying at the forefront of automated analysis techniques, which until recently relied primarily on dynamic methods like fuzzing.
Both Anthropic and OpenAI have limited private releases of their new AI models while convening industry working groups to assess cybersecurity implications.
Cybersecurity experts remain divided on how consequential the new AI capabilities will be in the long term for offense and defense dynamics.
How many vulnerabilities did Mythos find in Firefox 150 compared to earlier versions?
Mythos identified 271 vulnerabilities in Firefox 150, a substantial increase from the 22 security-sensitive bugs found in Firefox 148 using Anthropic’s Opus 4.6 model.
Did the AI-discovered vulnerabilities include types that humans could not find?
No, Mozilla’s CTO Bobby Holley stated they found no bugs that couldn’t have been discovered by an elite human researcher, closing the gap between machine and human discovery capabilities.