AI-First
Mozilla just patched 271 security vulnerabilities in Firefox 150. All found by AI. Not by an army of developers, not by a six-figure external audit: by Claude Mythos Preview, Anthropic's model that almost nobody can use yet. And the most striking part isn't the number. It's what it reveals about how AI creates value when you integrate it properly.
- 🔥 271 vulnerabilities fixed: a single AI pass over the Firefox 150 codebase.
- 🏗️ The harness does everything: the model alone isn't enough, it's the integration that eliminates the noise.
- ⚠️ Real dual-use risk: attackers have access to the same capabilities as defenders.
- 🎯 Direct lesson for SMBs: you don't need Mythos to start automating your audits.
271 bugs in a single pass: the raw numbers
On April 21, 2026, Mozilla released Firefox 150 with fixes for 271 security flaws identified by Claude Mythos Preview. According to the official Mozilla Hacks blog, this is the largest batch of security fixes ever shipped in a single browser release.
To grasp the scale, you need to look at what happened just before. In February 2026, the Firefox team had already tested Claude Opus 4.6 on roughly 6,000 C++ files. The result: 22 confirmed security bugs, 14 of which were rated high severity. That alone was nearly a fifth of all high-severity bugs fixed throughout 2025. The team thought they had scored a major win.
Mythos multiplied that score by twelve.
Why is this number so impressive for such a heavily audited codebase?
Firefox is no amateur project. It's a mature codebase with an internal red team, continuous automated fuzzing, per-process sandboxes, and external security researchers who have been scrutinizing it for twenty years. For a project this hardened, finding a handful of serious bugs in a month-long audit would already be exceptional.
Some of these bugs had been dormant for 15 to 27 years. A 20-year-old XSLT bug, IPC race conditions that fuzzing had missed five million times over. Bobby Holley, Firefox CTO, described the moment his team saw the number 271: "vertigo." According to CSO Online, Holley stated that "computers were completely incapable of doing this a few months ago."
Fuzzing covers poorly. Humans cover slowly. AI covers everything, fast.
An important nuance: the official Firefox 150 advisory lists only 41 CVEs, with just 3 directly credited to Claude. The 271 include lower-severity bugs, defensive hardening, and fixes on code paths that aren't directly exploitable. According to Digital Citizen, David Shipley of Beauceron Security puts it well: "Nothing Mythos found couldn't have been found by a competent human. AI isn't discovering a new class of super-bugs. It's just finding a lot of things that were missed."
That's exactly the point. The value isn't in discovering a new type of flaw. It's in exhaustive coverage at a speed no human team can match.
The harness, not the model: the real lesson
Here's what most articles on this topic don't say clearly enough: Mythos alone would never have delivered results this clean.
How did Mozilla eliminate false positives?
Before this operation, AI-generated bug reports were what Mozilla calls "unwanted slop." They looked like real reports, but the details were hallucinated. The asymmetric cost was brutal: producing a fake report costs nothing, verifying one costs hours.
What changed the game was the harness: a software agent that wraps the model, gives it precise instructions ("find a bug in this file"), provides it with the same tools human developers use (compiler, test build, sanitizers), and loops it until confirmation. The model generates an HTML test case, the harness runs it against the Firefox build with memory sanitizers enabled. If it crashes: the bug is real. If it doesn't: start over.
Brian Grinstead, Distinguished Engineer at Mozilla, explains on Mozilla Hacks: "As long as you can define a deterministic and clear success signal, you can tell it to keep working."
A second LLM then scores the quality of the report produced by the first. The result: "near-zero false positives."
This mirrors exactly what I see with my SMB clients when we deploy autonomous AI agents. The raw model, isolated in a chat window, produces noise. The same model, connected to real business tools (CRM, emails, databases, pipelines), produces value. Mozilla just proved this principle at the scale of one of the most scrutinized open-source projects in the world.
The real value is never in the model. It's in the integration with your processes.
| Metric | Claude Opus 4.6 | Claude Mythos Preview | Trend |
|---|---|---|---|
| Confirmed bugs | 22 | 271 | ↑ x12 |
| Working exploits (JS engine) | 2 | 181 | ↑ x90 |
| False positives | Frequent | Near zero | ↑ reliability |
| Oldest bug detected | N/A | 27 years | → new |
| Average detection time | Weeks | Minutes | ↑ speed |
SOURCE: Mozilla Hacks · Anthropic · Updated 05/2026
The flip side: open source under pressure and dual-use
Mozilla's success has a downside. Bobby Holley acknowledges it in Wired: "Every piece of software is going to have to make this transition, because every piece of software has a lot of bugs buried beneath the surface that are now discoverable."
Should we worry that attackers will use these same tools?
The short answer: yes. Anthropic has confirmed an investigation into unauthorized access to Mythos through a third-party environment, according to CSO Online. The model that finds 271 bugs for defenders can find just as many for attackers.
Holley's argument rests on a bet: defenders have access to the full source code, attackers don't. Defenders can scan systematically, patch, and shrink the attack surface to zero. Attackers only need one bug, but if defenders find them all first, the ratio flips.
That bet holds for Mozilla, which has the resources. For small open-source projects, it's a different story. Raffi Krikorian, Mozilla's CTO, writes in the New York Times: "The world's most valuable software infrastructure continues to be maintained by people working for free, while the companies building fortunes on top of it have never had to pay for its upkeep."
The European Union Agency for Cybersecurity (ENISA) regularly warns about this asymmetry. Maintainers of small projects have neither access to these models nor the bandwidth to process the results. AI is creating an arms race where only well-funded projects can keep up.
Why should European businesses care?
If your SMB uses open-source dependencies (and it does), the question is no longer "does our code have bugs?" but "is someone looking for them before the attackers do?" AI just made that question urgent.
What this concretely changes for your business
I'm not going to tell you to go request access to Claude Mythos Preview. The model isn't public, and that's not the point.
Mozilla's lesson fits in one sentence: an AI model connected to the right tools, with a clear validation signal, replaces months of manual work. And that, you can replicate right now.
What's the first concrete step for an SMB?
Identify a repetitive task in your business where the outcome is automatically verifiable. Quality control on data. Compliance checks on documents. Code auditing. Accounting reconciliation. The pattern is always the same: AI proposes, a tool verifies, you loop until the signal turns green.
Mozilla built a harness for bug hunting. You can build an agent for error hunting in your business processes. Existing models are enough. The barrier isn't technological, it's organizational.
I've documented this approach in my guide on AI integration in business. Every executive's first instinct is to look for the best model. The right instinct is to map the tasks where an automatic validation signal already exists. That's where AI creates immediate value, not in an impressive demo that only runs on stage.
Companies waiting for the "right time" to integrate AI into their operations just got a clear signal. Mozilla, 27 years of C++ codebase, thousands of contributors, one of the most skilled red teams in the world. If they found 271 bugs they'd missed, how many are sleeping in your processes?
The "we're not ready" excuse doesn't hold anymore. Mozilla wasn't ready either. They integrated AI into their existing tools, and it worked.
At GoLive Software, we help SMBs with exactly this kind of integration: plugging AI into real processes, not into POCs that end up in a drawer.
Frequently asked questions
What exactly is Claude Mythos Preview?
Claude Mythos Preview is an Anthropic model specialized in code analysis and vulnerability detection. It is not publicly available. Anthropic distributed it to a select group of organizations through the Project Glasswing program, which includes companies like Amazon, Microsoft, and JPMorgan. Mozilla obtained direct access outside of this program to scan Firefox.
Were all 271 vulnerabilities critical?
No. The official Firefox 150 advisory lists 41 CVEs, with only 3 directly credited to Claude. The 271 include bugs of varying severity: defensive fixes, code hardening, and flaws on code paths that aren't directly exploitable. The number is still significant because it represents real defects in the code, all fixed before an attacker could use them.
Can an SMB replicate what Mozilla did?
Not at this scale, but the principle is transferable. Mozilla built a harness that connects the model to Firefox's build and test tools. An SMB can replicate this logic on its own processes: connect an existing model (Claude, GPT) to its business tools with an automatic validation signal. The investment is in integration, not in access to a secret model.
Does AI replace human security researchers?
No. David Shipley of Beauceron Security sums it up: AI doesn't find bugs that a competent human couldn't find. It finds them faster and in greater volume. Human researchers are still needed for triage, prioritization, and remediation decisions. AI changes the scale, not the nature of the work.
Is the dual-use risk real?
Yes. Anthropic confirmed an investigation into unauthorized access to Mythos through a third-party vendor. A model capable of finding 271 bugs in a browser can also be used by attackers. Mozilla's thesis rests on the idea that defenders, who have access to the full source code, can scan faster than attackers can exploit. That bet holds for large projects. For small open-source maintainers without resources, the asymmetry is concerning.
Vidéos YouTube
Articles & ressources
- Behind the Scenes Hardening Firefox with Claude Mythos Preview · Mozilla Hacks
- Mythos Unleashed: How Mozilla Turned AI Bug Hunter into Firefox's Biggest Security Overhaul · WebProNews
- Claude Mythos signals a new era in AI-driven security, finding 271 flaws in Firefox · CSO Online
- Claude Mythos Found 271 Vulnerabilities in Firefox: What It Means for Browser Security · Digital Citizen
- Anthropic Mythos Finds 271 Firefox Vulnerabilities · The Outpost