Mozilla: Anthropic’s Mythos Found 271 Security Vulnerabilities in Firefox 150

Earlier this month, Anthropic stated its Mythos Preview model was so proficient at detecting cybersecurity vulnerabilities that its initial release was severely restricted. Since then, the tech world has heavily debated whether this marks an era of turbocharged AI hacking, or simply standard AI evolution. Today, Mozilla offered a decisive answer.

Mozilla added critical data to the ongoing AI security debate on Tuesday, revealing in a blog post that early access to the Mythos Preview model helped them pre-identify a staggering 271 security vulnerabilities in this week’s release of Firefox 150.

The sheer volume and complexity of the identified bugs were significant enough for Firefox CTO Bobby Holley to passionately declare that in the constant back-and-forth between cyberattackers and cyberdefenders, “defenders finally have a chance to win, decisively.”

01. “We’ve Rounded the Curve”

While Holley refrained from detailing the specific severity and exploitability of all 271 vulnerabilities that Mythos detected, the raw numbers tell a remarkable story.

For comparison, last month, Anthropic’s Opus 4.6 model audited the unreleased codebase of Firefox 148. That model only found 22 security-sensitive bugs. The leap from 22 to 271 within a single generation shift underscores the massive leap in deep-reasoning and context windows that Mythos brings to complex codebases.

Holley pointed out that many of the vulnerabilities discovered by Mythos could technically have been found using traditional automated "fuzzing" techniques, or by an "elite security researcher" painstakingly tracing logic faults through millions of lines of C++ code. However, the true breakthrough of Mythos lies in its efficiency.

02. Shifting the Cybersecurity Balance

By identifying bugs autonomously and efficiently, Holley argues that AI tools like Mythos intrinsically tilt the global cybersecurity scales toward the defenders. In the security domain, the party that benefits the most from cheaper vulnerability discovery is the defender, as they can patch issues before the software ships.

• The Past: “Computers were completely incapable of doing this a few months ago.”
• The Present: “…and now they excel at it.”

In a recent interview with Wired, Holley noted that this paradigm shift is inevitable for the tech industry:
“Every piece of software is going to have to engage with this, because every piece of software has a lot of bugs buried underneath the surface that are now discoverable.”

03. A Lifeline for Open Source Security

The implications of AI-aided defense are particularly monumental for open source foundation projects—the often under-funded digital bedrock of the modern internet.

Open source codebases face a unique dual threat: their repositories are entirely public, meaning malicious actors can use AI to scour them for zero-day exploits. Simultaneously, these projects rarely have the budget to deploy elite security teams to counter those threats. Therefore, giving open source maintainers direct access to models like Mythos is imperative to prevent widespread internet collapses.

In a New York Times essay last week, Mozilla CTO Raffi Krikorian emphasized this precise danger:

“The programmer who gave 20 years of his life to maintain [open source] code that runs inside products used by billions of people? He doesn’t have access to Mythos yet. He should.”

As Anthropic continues to refine its flagship AI lineup alongside the gated access to Mythos via Project Glasswing, the cybersecurity community watches closely. Mozilla's transparency with Firefox 150 makes one thing crystal clear: the age of AI-automated software fortification is officially here.