Mozilla Used Anthropic's Mythos to Find and Fix 271 Bugs in Firefox
Mozilla patched 271 security vulnerabilities in Firefox 150 after gaining early access to Anthropic's Mythos Preview AI model, which found bugs that traditional automated tools would have missed. This is the most concrete public proof yet that advanced AI can reshape how software...
According to Wired's coverage of the announcement, Mozilla went public on Tuesday with details of how its Firefox team used early access to Anthropic's Mythos Preview to systematically comb through the browser's codebase and surface 271 vulnerabilities, all of which are now patched in the Firefox 150 release. The story sits at the center of a live industry debate about whether AI is about to upend cybersecurity or simply accelerate an existing arms race between defenders and attackers.
Why This Matters
Finding 271 vulnerabilities in a single sweep of Firefox, one of the most scrutinized codebases in open-source software history, is not a minor footnote. This is a mature browser with decades of security audits behind it, and an AI model in preview found hundreds of bugs that human reviewers and fuzzing tools had missed. The attacker-defender balance has favored attackers for decades, and this announcement suggests defenders may be gaining a real, quantifiable edge. If even a preview version of Mythos can do this to Firefox, every major software company should be treating AI-powered security audits as urgent, not aspirational.
Daily briefing from 50+ sources. Free, 5-minute read.
The Full Story
Mozilla's Firefox 150, released this week, carries a number that should stop any security professional in their tracks: 271 patched vulnerabilities, all identified not through conventional fuzzing or manual code review, but through direct collaboration with Anthropic using an early build of its Mythos Preview model. Mozilla announced this publicly on Tuesday, framing it as both a proof of concept and a warning shot to the rest of the industry.
Bobby Holley, Firefox's chief technology officer, explained what made this moment different from previous security work. For years, Firefox has combined software fuzzing with internal and external human researchers to hunt for bugs. That approach created a meaningful but imperfect floor of protection. Certain categories of vulnerabilities, Holley said, required human-level reasoning to find and therefore remained out of reach for purely automated tools. Attackers willing to spend tens of millions of dollars could hire that kind of expertise. Defenders had to hope they found bugs first.
Mythos Preview changed that calculus in a fundamental way. Holley described the model as capable of covering, in his words, "the full space of vulnerability-inducing bugs," meaning it can reason through complex code the way a skilled human researcher would, but at machine speed and scale. That is not a small claim, and the 271-bug count in Firefox 150 gives it concrete weight.
The process was not painless. Mozilla's team described adjusting to what Holley called a firehose of bugs, a sudden surge in identified issues that required significant organizational resources and discipline to triage, prioritize, and patch. Mozilla's blog post noted that other teams going through similar AI-assisted audits have experienced what the company called "vertigo" when the volume of findings first came into focus. The implication is that Mozilla was not the only major software organization quietly working through this process, just the first to talk about it publicly.
Holley's framing of the longer arc is worth paying close attention to. He does not think AI will permanently destabilize cybersecurity. Instead, he describes a finite but brutal transition period where every major piece of software has to pass through a kind of AI-powered boot camp to surface and fix the latent bugs baked into its codebase over years of development. His exact words: "Every piece of software is going to have to make this transition, because every piece of software has a lot of bugs buried underneath the surface that are now discoverable." He believes Firefox has, in his phrasing, "rounded the curve," suggesting the heaviest lift is behind the team.
Anthropic granted Mozilla early access to Mythos Preview as part of a deliberate strategy. Both Anthropic and OpenAI have, in recent weeks, chosen limited private releases for their most capable cybersecurity-oriented models rather than open deployment, and both companies have assembled industry working groups to assess the implications and coordinate responsible use. That caution reflects an uncomfortable reality: the same model that helps Mozilla fix 271 bugs could help a well-resourced attacker find those bugs before they are patched.
Key Details
- Firefox 150 includes patches for exactly 271 vulnerabilities identified using Anthropic's Mythos Preview model.
- Mozilla announced the collaboration publicly on Tuesday, April 22, 2025.
- Bobby Holley, Firefox's CTO, described the moment as a "transitory" but "finite" period for the software industry.
- Anthropic granted Mozilla early access to Mythos Preview through a direct collaboration arrangement, not a public release.
- Both Anthropic and OpenAI have formed industry working groups specifically to manage the rollout of advanced cybersecurity AI capabilities.
- Mozilla's blog post described teams encountering "vertigo" when first seeing the volume of findings from AI-assisted security audits.
What's Next
The immediate pressure is on other major software organizations to request similar early access to Mythos Preview or comparable tools before the models become widely available to threat actors. Anthropic and OpenAI will likely use controlled industry releases as their template for the next several months, gradually expanding access while gathering data on how organizations handle the operational burden. Watch for other browser vendors, operating system makers, and cloud infrastructure companies to announce their own AI-assisted security audits in the second and third quarters of 2025.
How This Compares
OpenAI made its own play in the cybersecurity space in the same recent window, announcing new AI models with advanced vulnerability-detection capabilities alongside a formal cybersecurity strategy. That announcement was largely strategic and forward-looking. Mozilla's Firefox 150 announcement is different because it comes with a specific number, 271 bugs, attached to a specific product in a specific release. One is a roadmap; the other is a receipt.
The comparison to traditional fuzzing tools is also instructive. Fuzzing has been the backbone of automated vulnerability hunting for years, and Google's Project Zero has used it to significant effect across major codebases. But fuzzing is fundamentally a technique for finding crashes and memory errors by throwing random inputs at software. It does not reason about code the way a skilled human does. Holley's point about Mythos covering the "full space" of vulnerability-inducing bugs is a direct claim that AI-assisted analysis surpasses what fuzzing alone can accomplish, and 271 bugs in Firefox is hard evidence supporting that claim.
The broader competitive picture matters here. Anthropic positioned Mythos as a turning point in cybersecurity before Mozilla's announcement gave it a case study with real numbers. Now Anthropic has exactly the kind of third-party validation that turns a marketing claim into an industry standard. That will accelerate pressure on Google DeepMind, Meta, and others to demonstrate equivalent capabilities in security contexts, or risk being seen as lagging in the one application domain where measurable impact is easiest to prove.
FAQ
Q: What is Anthropic's Mythos Preview and what does it do? A: Mythos Preview is an early-access version of Anthropic's latest AI model, designed with advanced reasoning capabilities that allow it to analyze complex software code and identify security vulnerabilities. Unlike traditional automated tools that rely on pattern matching or random input testing, Mythos can reason through code logic the way a human security researcher would, which allows it to find bugs that older methods miss.
Q: Is Firefox 150 safe to use after all these bugs were found? A: Yes. Mozilla patched all 271 vulnerabilities identified by Mythos Preview before releasing Firefox 150. The point of the announcement is that the bugs were found and fixed internally before they could be exploited. Mozilla's disclosure is a transparency move, not a warning that users are at risk.
Q: Will AI tools like Mythos make cyberattacks worse or better for defenders? A: Mozilla's CTO Bobby Holley believes AI will ultimately help defenders more than attackers, but not without a difficult transition period first. The concern is that if attackers gain access to the same models before defenders have finished patching their code, the window of exposure grows. Anthropic's strategy of controlled, limited releases is an attempt to give defenders a head start.
Mozilla's Firefox 150 release is the clearest signal yet that AI-powered security auditing has moved from theory to operational practice, and the rest of the software industry is about to feel that pressure acutely. The companies that act now, before these capabilities spread to threat actors, will be in a far stronger position than those that wait for the tools to become commodities. Subscribe to the AI Agents Daily weekly newsletter for daily updates on AI agents, tools, and automation.
Get stories like this daily
Free briefing. Curated from 50+ sources. 5-minute read every morning.
