Mythos found 271 Firefox flaws – but none a human couldn’t spot

Mozilla CTO says AI means developers finally have a chance to get on top of security
The Mozilla has revealed it tested Anthropic’s bug-finding “Mythos” AI model and feels the results it experienced represent a watershed moment for software defenders.

The FOSS outfit on Tuesday reminded readers that it used Anthropic’s Opus 4.6 model to look for bugs in Firefox 148 and found 22 bugs.

Mythos found 271 vulnerabilities in Firefox 150.

Mozilla CTO Bobby Holley expressed mixed feelings about that result, which he described as giving the Firefox team “vertigo” as they confronted the need to fix so many flaws.

“For a hardened target, just one such bug would have been red-alert in 2025, and so many at once makes you stop to wonder whether it’s even possible to keep up,” he wrote.

He also thinks the huge haul of bugs Mythos identified represent “light at the end of the tunnel” for security teams.

“Our work isn’t finished, but we’ve turned the corner and can glimpse a future much better than just keeping up,” he wrote, then turned on Bold text and declared “ Defenders finally have a chance to win, decisively.

”
He offered that prediction because he feels “Until now, the industry has largely fought security to a draw” while acknowledging it’s all-but impossible to eliminate all exploits.

“Instead, we aimed to make them so expensive that only actors with functionally unlimited budgets can afford them, and that the cost of burning such an expensive asset disincentivizes those actors against casual use,” he wrote.

Mythos changes the game, he feels, by improving on the fuzzing tools Mozilla uses to find bugs without human intervention.

“Elite security researchers find bugs that fuzzers can’t largely by reasoning through the source code,” he wrote.

“This is effective, but time-consuming and bottlenecked on scarce human expertise.

“Computers were completely incapable of doing this a few months ago, and now they excel at it.

We have many years of experience picking apart the work of the world’s best security researchers, and Mythos Preview is every bit as capable.

So far we’ve found no category or complexity of vulnerability that humans can find that this model can’t.”
The CTO thinks Mythos’ abilities “can feel terrifying in the immediate term, but it’s ultimately great news for defenders.”
“A gap between machine-discoverable and human-discoverable bugs favors the attacker, who can concentrate many months of costly human effort to find a single bug.

Closing this gap erodes the attacker’s long-term advantage by making all discoveries cheap.”
He then hit CTRL-B again, and busted out CTRL-I too, to note “ Encouragingly, we also haven’t seen any bugs that couldn’t have been found by an elite human researcher.

”
The CTO also poured cold water on those who assert “future AI models will unearth entirely new forms of vulnerabilities that defy our current comprehension.”
He doesn’t think that will happen, because “Software like Firefox is designed in a modular way for humans to be able to reason about its correctness.

It is complex, but not arbitrarily complex.”
“The defects are finite, and we are entering a world where we can finally find them all.” ®