Mozilla explains the system that discovered 271 vulnerabilities in Firefox using Claude Mythos Preview.
Mozilla has published a detailed explanation on its blog about the discovery method and verification process for
Behind the Scenes Hardening Firefox with Claude Mythos Preview - Mozilla Hacks - the Web developer blog
https://hacks.mozilla.org/2026/05/behind-the-scenes-hardening-firefox/
Mozilla says 271 vulnerabilities found by Mythos have 'almost no false positives' - Ars Technica
https://arstechnica.com/information-technology/2026/05/mozilla-says-271-vulnerabilities-found-by-mythos-have-almost-no-false-positives/
Mozilla fixed a total of 423 security vulnerabilities in April. Of these, 271 were found using Claude Mythos Preview, 41 of which were reported externally, and the remaining 111 were discovered in subsequent releases of Claude Mythos Preview, through other models, or using traditional methods.
Anthropic's Mythos discovers 271 security vulnerabilities in Firefox 150; Mozilla calls it 'good news for defenders' - GIGAZINE
Of the 271 vulnerabilities disclosed in Firefox 150, 180 were classified as sec-high, 80 as sec-moderate, and 11 as sec-low. Mozilla explains that even sec-high and sec-critical vulnerabilities do not usually compromise Firefox on their own, and that real-world attacks require a chain reaction of multiple vulnerabilities.
According to Mozilla, until a few months ago, AI-based vulnerability reporting had a high rate of false positives, placing a significant burden on developers. However, improvements in model performance and the development of a unique mechanism to control the models have dramatically changed its practicality.
In this initiative, Mozilla didn't simply have AI read the code; instead, they built an agent-based harness on top of Firefox's existing fuzzing infrastructure. This mechanism allows the AI to search for vulnerabilities in specific source files, create reproducible test cases, and then verify whether crashes or dangerous behavior actually occur.
Vulnerabilities were found across a wide range of areas, including JIT, WebAssembly GC, IndexedDB, WebTransport, XSLT, HTML tables, and RLBox. Some of these included a bug in the [legend] element that had existed for 15 years, and XSLT-related bugs that had persisted for 20 years, revealing complex problems that would be difficult to find with traditional fuzzing or manual investigation.
Mozilla has drawn particular attention to the fact that the Firefox update contained multiple vulnerabilities that could lead to an escape from the sandbox. While these vulnerabilities alone may not compromise Firefox as a whole, and require combination with other vulnerabilities, they could serve as important pathways for attackers to expand their privileges.
Mozilla also stated that 'there is meaning in what the AI couldn't find.' For example, logs confirmed that prototype anti-poisoning measures implemented in the past had blocked AI attack attempts, demonstrating that existing multi-layered defenses are indeed effective.
Mozilla's Brian Grinstead assessed the vulnerabilities discovered by this system as having 'almost no false positives,' and added that by performing additional verification by evaluating the AI output with another LLM, developers can now handle reports with a level of confidence close to that of traditional detection methods.
Related Posts:
