Mozilla's Firefox 150 Ships with 151 Anthropic-Found Bugs Squashed

Mozilla rolled Firefox 150 out this week carrying patches for 151 bugs that had never been reported. Anthropic’s yet-to-ship Mythos model, running inside a sealed red-team environment, produced the findings. Twenty-two of the issues reached the highest severity tier; the rest were medium- and low-risk crashes or memory-safety gaps. All fixes landed in the release branch before the browser shipped to the public.

Mozilla handed Anthropic a static export of the Firefox codebase plus a fuzzing harness that can replay every parser path a webpage can trigger. Mythos then spent roughly 48 hours generating test cases, crashing the browser thousands of times, and auto-triaging the root causes. Engineers at Mozilla reviewed each ticket, confirmed reproducibility, and rewrote the vulnerable code. The whole loop—AI finds, humans verify, patches land—took three weeks.

Firefox CTO Bobby Holley calls the exercise proof that defenders still hold the edge: the same tooling that can weaponize a flaw can also neuter it before release. Mozilla argues that scaling bug discovery simply moves the arms race earlier in the pipeline, giving maintainers time instead of attackers. The bigger risk, Holley warns, is developer disruption: teams must learn to triage AI-generated reports without drowning in noise.

Despite the PR win, Anthropic has kept Mythos locked to a tiny whitelist. A Bloomberg scoop claims unauthorized users briefly accessed the model via a leaked debug token; Anthropic says no evidence of misuse surfaced and the token was revoked. The company still plans a staged rollout under the banner “Project Glasswing,” with AWS, Apple, Google, Microsoft, and Nvidia lined up for early access. Mozilla remains the only public customer so far.

Every major browser and OS vendor now knows that a single AI pass can surface hundreds of latent bugs. Google’s Chrome team already runs fuzz farms; Microsoft has hinted at similar LLM pilots. Security teams are bracing for a flood of low-signal reports and racing to automate triage. Meanwhile, bug-bounty platforms like HackerOne quietly raised payouts last month, anticipating that AI will shrink the pool of easy wins.

Mozilla says the next milestone is letting Mythos run continuously on nightly builds, not just annual audits. Anthropic is drafting a policy paper on disclosure timelines—how long companies get to patch before the model’s findings can be shared. Regulators in the US and EU have requested briefings, worried that AI-accelerated vulnerability discovery could outpace responsible disclosure norms. The Firefox team, for now, is simply grateful the bugs were caught on their own turf.