\n<\/p>\n
When Anthropic unveiled its new Mythos model in April, it also delivered a stern warning to anyone developing software. The model was so powerful at sniffing out software vulnerabilities, the lab claimed<\/a>, that it had discovered thousands of high-severity bugs that would need to be fixed before it could be made public.<\/p>\n Now, security researchers for Mozilla\u2019s Firefox browser are providing a closer look at what that process has looked like in practice, and what Mythos\u2019 powers mean for software security at large. <\/p>\n In a post published on Thursday<\/a>, Mozilla said Mythos has unearthed a wealth of high-severity bugs, including some that had lain dormant in the code for more than a decade.<\/p>\n That\u2019s a significant improvement from what AI security tools were capable of even six months ago. Until now, AI bug-finding tools have come with severe drawbacks, often inundating security teams with low quality reports and false positives<\/a>. But Mozilla\u2019s researchers say the latest generation of tools have turned a corner, particularly now that agentic systems can assess their own work and filter out bad results.<\/p>\n \u201cIt is difficult to overstate how much this dynamic changed for us over a few short months,\u201d the researchers wrote. \u201cFirst, the models got a lot more capable. Second, we dramatically improved our techniques for harnessing<\/em> these models.\u201d<\/p>\n The results are striking: In April 2026, Firefox shipped 423 bug fixes, compared to just 31 exactly a year earlier. The researchers have also published details on 12 of the bugs, which range from a pair of unusual sandbox vulnerabilities, to a 15-year-old error in how the browser parses an HTML element.<\/p>\n \u201cThese things are actually just suddenly very good,\u201d Brian Grinstead, a distinguished engineer at Mozilla, told TechCrunch. \u201cWe see that on our own internal scanning, we see that on external bug reports, and we see that in all sorts of signals across the industry.\u201d<\/p>\n Techcrunch event<\/p>\n \n\t\t\t\t\t\t\t\t\tSan Francisco, CA<\/span> The fact that the system helped reveal vulnerabilities in Firefox\u2019s \u201csandbox\u201d system is particularly impressive, given how intricate an attack that exploits it needs to be. To find sandbox vulnerabilities, the model must write a compromised patch for the browser, then attack the most secure part of the software with the new code implemented. Finding and demonstrating the bug is a delicate, multi-step process, requiring both creativity and close attention.\u00a0<\/p>\n To put this into context, Mozilla\u2019s bug bounty program<\/a> pays researchers who can find a bug in Firefox\u2019s sandbox up to $20,000 \u2014 the highest reward available. Despite the top-dollar bounty, however, Grinstead says Mythos is finding more sandbox issues than human researchers ever did. \u201cWe do get them,\u201d he told TechCrunch, \u201cbut not at the volume that we are able to find with this technique.\u201d<\/p>\n Notably, the Firefox team still isn\u2019t using AI to fix the bugs, despite well-documented progress in AI coding tools. The team does ask AI to code up patches for each bug, but the resulting code usually can\u2019t be deployed directly, and instead serves as a model for a human engineer.<\/p>\n \u201cFor the bugs we\u2019re talking about in this post, every single one is one engineer writing a patch and one engineer reviewing it,\u201d Grinstead says. \u201cWe have not found it to be automatable.\u201d<\/p>\n It\u2019s still not clear how AI\u2019s emerging capabilities will change the broader balance of power in cybersecurity. One month since Mythos was previewed, most of the bugs discovered likely haven\u2019t been patched, which makes it hard to capture the full scope of their impact. Anthropic has been scrupulous about following responsible disclosure norms, but it\u2019s likely bad actors are using similar techniques behind the scenes, even if the models they\u2019re using aren\u2019t quite as good.<\/p>\n Speaking at a recent event<\/a>, Anthropic CEO Dario Amodei was optimistic that the new tools would ultimately favor defenders. \u201cIf we handle this right, we could be in a better position than we started, because we fixed all these bugs. There are only so many bugs to find,\u201d Amodei said. \u201cSo I think there\u2019s a better world on the other side of this.\u201d<\/p>\n Having dealt with the gritty details, Grinstead has a more measured view: \u201cIt\u2019s useful for both attackers and defenders, but having the tool available shifts the advantage a little bit to defense. Realistically, nobody knows the answer to this yet.\u201d<\/p>\n<\/div>\n When you purchase through links in our articles, we may earn a small commission<\/a>. This doesn\u2019t affect our editorial independence.<\/em><\/p>\n
\n\t\t\t\t\t\t\t\t\t\t\t\t\t|<\/span>
\n\t\t\t\t\t\t\t\t\t\t\t\t\tOctober 13-15, 2026<\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/div>\n