Mozilla Says Anthropic's Mythos AI Uncovered 271 Firefox Bugs With Near-Zero False Positives

Mozilla has disclosed that its Firefox engineering team, working with Anthropic's newly-released Mythos AI model, identified and patched 271 security vulnerabilities in just over two months. According to Mozilla's official blog, the fixes are shipping with Firefox 150 this week. The company claims the AI-driven process produced "almost no false positives," a striking assertion given the volume of bugs discovered. Mozilla CTO Eric Rescorla told The Register that AI gives defenders "a chance to get on top of security" for the first time.

The effort began in February when Mozilla started feeding Firefox source code to an early preview of Claude Mythos, Anthropic's security-focused large language model. Mozilla had already collaborated with Anthropic's earlier Opus 4.6 model, which yielded 22 security-sensitive fixes in Firefox 148. With Mythos, the scope exploded: bugs ranged from a 15-year-old HTML <legend> flaw to more complex memory-safety issues. Mozilla's security team notes the AI didn't just flag obvious patterns; it reasoned through multi-file call chains to uncover subtle logic errors.

For open-source projects long starved of dedicated security review, automated bug discovery could level the playing field. Mozilla's experiment suggests small teams can now punch above their weight. The company has open-sourced both the agentic harness used to run Mythos against Firefox and the triage workflow that kept false positives near zero. Other maintainers can adapt the same pipeline to scan their own repositories. TechCrunch reports that Mozilla is "completely bought in" on AI-assisted discovery and plans to run continuous scans before every release.

Enterprise security teams have historically relied on expensive human audits and commercial static-analysis suites. Mozilla's results imply that frontier models can match elite consultants at a fraction of the cost. While Mythos itself is not yet publicly available, Anthropic has signaled a controlled release program for qualified security researchers. Early adopters will likely be large software vendors and cloud providers looking to shrink their vulnerability backlogs. The Register notes that if the false-positive rate holds across other codebases, traditional penetration-testing budgets may be reallocated toward AI tooling.

Mozilla intends to bake Mythos-driven scanning into its nightly CI pipeline, effectively treating every commit as a potential security review. Anthropic, meanwhile, is gathering feedback before a wider rollout. The immediate consequence: Firefox users receive 271 fewer zero-day opportunities. The longer-term question is whether attackers will weaponize the same models for offense. Mozilla's Rescorla argues that defenders have structural advantages, access to source, reproducible builds, controlled test environments, so the balance may finally tilt in their favor. If other vendors replicate Mozilla's success, the industry could see a sharp drop in easily exploitable browser bugs by year-end.