Anthropic and Mozilla team up to uncover over 100 bugs in Firefox 4.6, including 14 high-severity bugs, in just two weeks
Anthropic's Frontier Red Team and Mozilla collaborated on AI-based vulnerability detection, reporting that Claude Opus 4.6 submitted a total of 112 reports for Firefox in just two weeks, confirming 22 vulnerabilities. This achievement demonstrates the potential for AI to rapidly verify and strengthen the security of large codebases.
Partnering with Mozilla to improve Firefox's security \ Anthropic
Hardening Firefox with Anthropic's Red Team
https://blog.mozilla.org/en/firefox/hardening-firefox-anthropic-red-team/
The study involved extensive scanning of approximately 6,000 C++ files, focusing in particular on the JavaScript engine, a common target of browser attacks. Within just 20 minutes of starting the study, the researchers discovered a memory safety issue known as a 'use-after-free' vulnerability. The model subsequently identified a large number of unique crash inputs, which were manually verified by Anthropic's team of researchers and reported to Mozilla's bug tracking system.
According to the survey results, of the 112 reports submitted, 22 were assigned CVEs, 14 of which were deemed high severity by Mozilla, representing approximately 20% of all high-severity Firefox vulnerabilities fixed throughout 2025.
Mozilla explained that while AI-assisted bug reporting has a common problem of high false positives and can be a burden to open source developers, the report provided by Anthropic included a minimal test case to reproduce the issue, a detailed proof of concept (PoC), and a proposed patch, which enabled Mozilla platform engineers to begin work on the fix within hours and efficiently resolve the vulnerability.
The AI's ability to exploit the vulnerabilities it discovered was also tested. Despite hundreds of tests using API credits worth approximately $4,000, only two successful exploits were produced. The resulting code was crude and only worked in modern browsers with security features intentionally disabled.
These results suggest that while current AI is good at finding and fixing vulnerabilities, it remains difficult to adapt it for advanced attacks, giving defenders the advantage at present.
Building on this work, Anthropic and Mozilla are sharing best practices for improving security, including the use of a 'task validator' that allows AI agents to check their own performance. Mozilla has already begun integrating AI analysis into its internal security workflow, strengthening its ability to identify unknown vulnerabilities before attackers do. Going forward, the company plans to continue to advance secure software development using AI, adjusting its defense processes as its models improve.
In Mozilla's security advisory, researchers from Anthropic are listed as reporters of the vulnerability, under the name 'Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger using Claude from Anthropic .'
Security Vulnerabilities fixed in Firefox 148 — Mozilla
https://www.mozilla.org/en-US/security/advisories/mfsa2026-13/
Related Posts:
