In April, Anthropic introduced its groundbreaking Mythos model, which quickly garnered attention for its remarkable ability to identify software vulnerabilities. According to the lab, the model uncovered thousands of critical bugs that needed addressing before it could be released to the public.
Mozilla's security researchers have now shared insights into how Mythos has influenced the security landscape for the Firefox browser. In a recent blog post, Mozilla highlighted that Mythos has revealed numerous high-severity bugs, some of which had remained hidden in the code for over a decade.
This advancement marks a significant leap from the capabilities of AI security tools available just six months prior. Historically, AI-driven bug-finding tools have faced challenges, often bombarding security teams with low-quality reports and numerous false positives. However, Mozilla's team asserts that the latest generation of tools, including Mythos, has made substantial progress, particularly as these systems can now evaluate their own outputs and eliminate inaccurate results.
"The transformation we've experienced in such a short time is remarkable," the researchers noted. "The models have become significantly more effective, and we have also enhanced our methods for utilizing these models."
The outcome is impressive: In April 2026, Firefox implemented 423 bug fixes, a massive increase from just 31 a year prior. Mozilla's researchers have detailed 12 of these bugs, which include unusual sandbox vulnerabilities and a 15-year-old flaw in HTML parsing.
Brian Grinstead, a distinguished engineer at Mozilla, remarked, "The effectiveness of our tools has dramatically improved. We observe this across various metrics, from internal scans to external reports."
Particularly noteworthy is the model's ability to identify vulnerabilities within Firefox's "sandbox" system, which requires intricate techniques to exploit. To discover these vulnerabilities, Mythos must generate a compromised patch and then target the most secure sections of the software, showcasing both creativity and precision.
In context, Mozilla's bug bounty program offers researchers up to $20,000 for identifying bugs within the sandbox, yet Grinstead points out that Mythos is uncovering more issues than human researchers ever did. "We do receive reports, but not at the same volume as with this innovative technique," he explained.
Interestingly, while the Firefox team employs AI to generate code patches for identified bugs, they do not directly implement these solutions. Instead, the AI-generated code acts as a reference for human engineers to review and refine.
Grinstead emphasized, "For the bugs discussed here, each one involves a single engineer creating a patch and another reviewing it. We have not found this process to be automatable."
The broader implications of AI in cybersecurity remain uncertain. A month after Mythos was revealed, many of the identified bugs were still unpatched, complicating the assessment of their overall impact. While Anthropic adheres to responsible disclosure practices, it is likely that malicious actors are employing similar techniques, albeit with less sophisticated models.
At a recent event, Anthropic CEO Dario Amodei expressed optimism about the potential of these new tools to enhance security. "If we manage this correctly, we could emerge in a stronger position, having resolved numerous vulnerabilities," he stated. "There are only so many bugs to find, and I believe a more secure future awaits us."
Grinstead provided a more cautious perspective, noting, "These tools benefit both attackers and defenders, but their availability slightly tips the balance toward defense. The ultimate outcome remains uncertain."
