Mozilla ran Anthropic's Mythos AI against Firefox 150 and got 271 vulnerabilities back, more than 12 times what its previous best model found in Firefox 148 just last month.
The haul represents a milestone in automated security research, but not for the reasons Anthropic's marketing might suggest. The bugs are real. They're all patched in Firefox 150, which shipped this week.
What matters is how they were found: Mythos reasoned through source code the way elite human researchers do, rather than brute-forcing inputs like traditional fuzzing tools.
"Computers were completely incapable of doing this a few months ago, and now they excel at it," Firefox CTO Bobby Holley wrote. That speed creates a new problem. Mozilla described finding hundreds of vulnerabilities at once as giving the team "vertigo", one critical bug used to trigger a focused response; dozens demand triage at scale. The bottleneck has shifted from detection to remediation.
Holley is measured about what this means. Mythos found 271 flaws, yes.
But: "We also haven't seen any bugs that couldn't have been found by an elite human researcher," he said. The model replicates human capability, not exceeds it. That distinction matters because Anthropic has framed Mythos as almost too dangerous for public release, withholding general access through Project Glasswing while offering previews to select organizations. Mozilla's data suggests a more grounded picture: AI has automated a scarce human skill, which is major for defenders but not apocalyptic.
"Closing this gap erodes the attacker's long-term advantage by making all discoveries cheap," Holley wrote.
Mozilla CTO Raffi Krikorian made a related argument in a New York Times essay last week: open source maintainers who have given decades to critical infrastructure don't have access to tools like Mythos yet, but they should. The asymmetry is stark when state-backed attackers can deploy AI against public codebases maintained by volunteers. For Mozilla, the immediate work is triage and patch management at scale. Holley said Firefox has "rounded the curve" after adjusting to the firehose of findings.
He dismissed fears that future models will uncover entirely novel vulnerability classes, arguing that software like Firefox is "designed in a modular way for humans to be able to reason about its correctness."
"The defects are finite," he wrote, "and we are entering a world where we can finally find them all."
