Mythos found 271 Firefox flaws – but none a human couldn’t spot

Mozilla CTO says AI means developers finally have a chance to get on top of security.

The Mozilla has revealed it tested Anthropic’s bug-finding “Mythos” AI model and feels the results it experienced represent a watershed moment for software defenders.

The FOSS outfit on Tuesday reminded readers that it used Anthropic’s Opus 4.6 model to look for bugs in Firefox 148 and found 22 bugs.

Mythos found 271 vulnerabilities in Firefox 150.

Mozilla CTO Bobby Holley expressed mixed feelings about that result, which he described as giving the Firefox team “vertigo” as they confronted the need to fix so many flaws.

“For a hardened target, just one such bug would have been red-alert in 2025, and so many at once makes you stop to wonder whether it’s even possible to keep up,” he wrote.

He also thinks the huge haul of bugs Mythos identified represent “light at the end of the tunnel” for security teams.

“Our work isn’t finished, but we’ve turned the corner and can glimpse a future much better than just keeping up,” he wrote, then turned on Bold text and declared “Defenders finally have a chance to win, decisively. ”

He offered that prediction because he feels “Until now, the industry has largely fought security to a draw” while acknowledging it’s all-but impossible to eliminate all exploits.

“Instead, we aimed to make them so expensive that only actors with functionally unlimited budgets can afford them, and that the cost of burning such an expensive asset disincentivizes those actors against casual use,” he wrote.

Mythos changes the game, he feels, by improving on the fuzzing tools Mozilla uses to find bugs without human intervention.

“Elite security researchers find bugs that fuzzers can’t largely by reasoning through the source code,” he wrote. “This is effective, but time-consuming and bottlenecked on scarce human expertise.

“Computers were completely incapable of doing this a few months ago, and now they excel at it. We have many years of experience picking apart the work of the world’s best security researchers, and Mythos Preview is every bit as capable. So far we’ve found no category or complexity of vulnerability that humans can find that this model can’t.”

Full article here

As much as I dislike AI, in cases like this Mythos seems beneficial in helping to tackle abundant amount of bugs and vulnerbilites in browsers like Firefox. Surely this will help it hardened it more.

This would be great to use on distros like Zorin 18, to help tackle the bugs even faster.

And how long before A.I. declares humans as errors and eradicates them?

I will reproduce the correct lyrics later. Even Musixmatch can't get them right which suggests they have used A.I. to search for other song titles that match what they think it heard. Stefan Poiss the creative genius behind mind.in.a.box and THYX is Austrian and his English pronunciation has an accent that A.I. cannot interpret correctly. The actual lyrics were written by an English poet which THYX added music too. In part of the lyrics on several sites include the words "The V8" when it should be "deviate":
mind.in.a.box R.E.T.R.O. album is a tribute to the best computer games music of the 80’s, including "The last V8".

So whose to say that Mythos is creating mythical flaws based on its own parameters?