Mozilla used Anthropic’s Mythos to find and fix 271 bugs in Firefox

At a glance:

• Mozilla fixed 271 vulnerabilities in Firefox 150 using Anthropic’s Mythos Preview.
• AI-driven bug hunting could force every software project through a security overhaul.
• Open-source maintainers may struggle to keep pace without more resources.

AI bug hunting changes the game for software security

Mozilla’s disclosure that it used Anthropic’s Mythos Preview to uncover and patch 271 vulnerabilities in Firefox 150 marks a turning point in how software security is approached. For years, vulnerability discovery relied on a mix of automated fuzzing and manual research by internal and external experts. Attackers had access to the same tools, but certain bug classes remained out of reach for automation. That gap is now closing. Emerging AI models can, in theory, scan the entire space of vulnerability-inducing bugs, leaving no corner of code unexamined.

Bobby Holley, Firefox’s chief technology officer, describes the shift as a “bootcamp” every software project must endure. The implication is stark: latent flaws buried in codebases are now discoverable at scale, and the window for defenders to act before attackers do is shrinking. Anthropic and OpenAI have both released early-access models with advanced cybersecurity capabilities, but only to select partners and under strict controls. The companies are convening industry working groups to assess the impact, yet the broader cybersecurity community remains divided on how consequential these advances will be in the near term.

The open-source dilemma

Open-source software, which underpins much of the internet, faces unique risks from AI-driven vulnerability hunting. Many critical projects are maintained by small teams or even single volunteers, with little funding or institutional support. The arrival of AI tools that can expose hidden bugs at unprecedented speed could overwhelm these maintainers, especially for “abandonware” that is no longer actively maintained. Holley warns that while large companies may pull thousands of engineers to address the issue, smaller projects could be left exposed.

Mozilla is working to share knowledge and tools across the open-source ecosystem, both formally and informally. But Holley acknowledges that technology alone cannot solve the problem. “Ultimately the open source stuff is a human problem,” he says. “There’s only so much that you can scale with technology—there’s a lot of the industry and everybody just needing to come together.” The challenge is not just technical but also cultural and economic, as the most valuable software infrastructure is often maintained by people working for free while companies profit from it.

A transitory but necessary moment

Holley believes the current upheaval is a finite moment, even as AI models become more advanced. Firefox, having gained early access to Mythos Preview through direct collaboration with Anthropic, claims to have “rounded the curve” on the initial wave of discoveries. The team had to adjust to a “firehose” of bugs, requiring significant resources and discipline. Yet Holley is confident that once the initial overhaul is complete, the pace of critical discoveries will slow.

This perspective offers a measure of reassurance, but also a warning: the transition will be difficult and require coordinated focus across the industry. Mozilla’s CTO, Raffi Krikorian, recently argued in a New York Times Opinion essay that the underlying economics of software maintenance have not changed. The risk is that organizations with resources will adapt first, leaving others vulnerable. As AI-driven vulnerability hunting becomes more widespread, the gap between well-resourced and under-resourced projects could widen, making collaboration and resource-sharing more critical than ever.

What’s next for software security

The experience of Mozilla and Firefox suggests that AI-powered vulnerability hunting is not a distant possibility but a present reality. The question now is how the broader industry will respond. Will companies invest in securing their codebases before attackers gain access to the same tools? Can the open-source community mobilize the resources needed to protect critical infrastructure? And how will regulators and standards bodies adapt to a landscape where the speed and scale of vulnerability discovery have fundamentally changed?

For now, Mozilla’s proactive approach offers a model: early access, collaboration, and a willingness to confront the challenges head-on. But as Holley notes, this is a moment that requires “a lot of grit” from everyone involved. The security of the software that powers the modern world may depend on it.