Mozilla Patched 271 Firefox 150 Vulnerabilities After Early Access to Anthropic’s Mythos Preview

Mozilla says its Firefox 150 release includes protections for 271 vulnerabilities that it identified after early access to Anthropic’s Mythos Preview.

“Earlier this month, Anthropic said its Mythos Preview model was so good at finding cybersecurity vulnerabilities that the company was limiting its initial release to “a limited group of critical industry partners”

Ars Technica

In a Tuesday blog post, Mozilla wrote that “early access to Mythos Preview had helped it pre-identify 271 security vulnerabilities in this week’s release of Firefox 150.”

Ars Technica

Ars Technica reported that Mozilla’s data fed a debate over whether Mythos signals “an era of turbocharged AI-aided hacking” or whether it is “just building hype for what is a relatively normal step up on the ladder of advancing AI capabilities.”

Ars Technica also quoted Firefox CTO Bobby Holley saying, “defenders finally have a chance to win, decisively.”

Holley did not detail the severity of the “hundreds of vulnerabilities that Mythos reportedly detected simply by analyzing the unreleased source code of Firefox’s latest version,” but he compared the result to Anthropic’s Opus 4.6 model finding “only 22 security-sensitive bugs when analyzing Firefox 148 last month.”

Mozilla’s own blog later framed the work as a shift in how defenders can find latent issues, writing that “This week’s release of Firefox 150 includes fixes for 271 vulnerabilities identified during this initial evaluation.”

Mozilla’s account ties the Firefox 150 results to a longer collaboration timeline that began with Opus 4.6 and then moved to Mythos Preview.

The Mozilla Blog says that “Since February, the Firefox team has been working around the clock using frontier AI models to find and fix latent security vulnerabilities in the browser.”

Engadget

It adds that Mozilla “wrote previously about our collaboration with Anthropic to scan Firefox with Opus 4.6, which led to fixes for 22 security-sensitive bugs in Firefox 148.”

Ars Technica similarly reported that Holley compared Mythos’s findings to Opus 4.6, noting that Opus 4.6 found “only 22 security-sensitive bugs when analyzing Firefox 148 last month.”

The Mozilla Blog then describes the next step: “As part of our continued collaboration with Anthropic, we had the opportunity to apply an early version of Claude Mythos Preview to Firefox.”

It states that Firefox 150 “includes fixes for 271 vulnerabilities identified during this initial evaluation,” and it frames the scale as a “firehose of bugs” that teams must adjust to.

Mozilla’s blog post lays out why it believes Mythos Preview changes the economics of vulnerability discovery, while also insisting that it has not seen bugs that humans could not find.

“Since February, the Firefox team has been working around the clock using frontier AI models to find and fix latent security vulnerabilities in the browser”

The Mozilla Blog

It argues that “computers were completely incapable of doing this a few months ago, and now they excel at it,” referring to reasoning through source code that elite researchers do when fuzzing coverage is uneven.

The blog explains that “Elite security researchers find bugs that fuzzers can’t largely by reasoning through the source code,” and it calls that process “time-consuming and bottlenecked on scarce human expertise.”

Mozilla says it uses “defense-in-depth” and notes that “Firefox runs each website in a separate process sandbox,” while attackers try to “combine bugs in the rendering code with bugs in the sandbox to escape to a more privileged context.”

The Mozilla Blog then connects the AI results to the attacker’s advantage, stating that “A gap between machine-discoverable and human-discoverable bugs favors the attacker,” because it lets attackers concentrate “many months of costly human effort to find a single bug.”

Mozilla says Mythos Preview narrows that gap, writing that “Closing this gap erodes the attacker’s long-term advantage by making all discoveries cheap.”

The reporting around Mythos Preview reflects a broader dispute about whether AI vulnerability hunting will meaningfully shift cybersecurity power or simply accelerate a trend already underway.

Ars Technica described “debate has raged over whether the model presages an era of turbocharged AI-aided hacking or if Anthropic is just building hype for what is a relatively normal step up on the ladder of advancing AI capabilities.”

WIRED

Engadget said Anthropic’s announcement was “met with plenty of skepticism,” but it highlighted Mozilla’s details as support for Mythos Preview’s value for “protect critical services.”

Engadget also quoted the foundation’s claim that “So far we’ve found no category or complexity of vulnerability that humans can find that this model can’t,” and it framed that as an indication that “AI isn’t presently able to do more to crack cybersecurity protections than a person can.”

WIRED, meanwhile, reported that Mozilla’s experience shows AI tools “could have a profound impact for vulnerability hunters,” and it quoted Bobby Holley saying, “Our belief is that the tools have changed things dramatically, because now we have automated techniques that can cover, as far as we can tell, the full space of vulnerability-inducing bugs.”

WIRED also contextualized the moment by noting that “Both Anthropic and OpenAI have announced new AI models in recent weeks” and that “Both Anthropic and OpenAI have announced new AI models in recent weeks” and that “With this in mind, the companies have so far only done limited private releases of their new models.”

Mozilla’s blog and the broader coverage both stress that the work is not finished and that defenders will face a sustained workload as AI-driven bug discovery spreads.

“Earlier this month, Anthropic said its Mythos Preview model was so good at finding cybersecurity vulnerabilities that the company was limiting its initial release to “a limited group of critical industry partners”

Ars Technica

The Mozilla Blog says, “Our work isn’t finished, but we’ve turned the corner and can glimpse a future much better than just keeping up,” and it warns that “many other teams are now experiencing the same vertigo we did when the findings first came into focus.”

Ars Technica

It describes a practical consequence for security teams: “You may need to reprioritize everything else to bring relentless and single-minded focus to the task,” and it frames the moment as one where defenders must keep up with “the firehose of bugs.”

WIRED echoed that framing by reporting that Mozilla said it had to adjust to “the firehose of bugs that new AI tools can uncover,” and it quoted Holley describing a “bootcamp” that “all software will have to go through one way or the other.”

WIRED also reported that Holley said he had talked to “engineering leaders at very large companies who are saying that they’re going to be pulling thousands of engineers off of everything to be working on this for the next six months.”

Engadget added that Mozilla has given users the option to “turn it all off for the past several months,” indicating that the transition is not only about backend security work but also about how AI features are exposed to end users.