When Anthropic unveiled its new Mythos mannequin in April, it additionally delivered a stern warning to anybody growing software program. The mannequin was so highly effective at sniffing out software program vulnerabilities, the lab claimed, that it had found hundreds of high-severity bugs that will have to be fastened earlier than it might be made public.
Now, safety researchers for Mozilla’s Firefox browser are offering a more in-depth have a look at what that course of has appeared like in apply, and what Mythos’ powers imply for software program safety at massive.
In a post published on Thursday, Mozilla stated Mythos has unearthed a wealth of high-severity bugs, together with some that had lain dormant within the code for greater than a decade.
That’s a major enchancment from what AI safety instruments had been able to even six months in the past. Till now, AI bug-finding instruments have include extreme drawbacks, usually inundating safety groups with low-quality reports and false positives. However Mozilla’s researchers say the most recent technology of instruments have turned a nook, notably now that agentic techniques can assess their very own work and filter out dangerous outcomes.
“It’s troublesome to overstate how a lot this dynamic modified for us over a couple of quick months,” the researchers wrote. “First, the fashions obtained much more succesful. Second, we dramatically improved our methods for harnessing these fashions.”
The outcomes are placing: In April 2026, Firefox shipped 423 bug fixes, in comparison with simply 31 precisely a 12 months earlier. The researchers have additionally printed particulars on 12 of the bugs, which vary from a pair of surprising sandbox vulnerabilities, to a 15-year-old error in how the browser parses an HTML component.
“These items are literally simply immediately superb,” Brian Grinstead, a distinguished engineer at Mozilla, instructed TechCrunch. “We see that on our personal inside scanning, we see that on exterior bug studies, and we see that in all types of indicators throughout the trade.”
Techcrunch occasion
San Francisco, CA
|
October 13-15, 2026
The truth that the system helped reveal vulnerabilities in Firefox’s “sandbox” system is especially spectacular, given how intricate an assault that exploits it must be. To seek out sandbox vulnerabilities, the mannequin should write a compromised patch for the browser, then assault essentially the most safe a part of the software program with the brand new code carried out. Discovering and demonstrating the bug is a fragile, multi-step course of, requiring each creativity and shut consideration.
To place this into context, Mozilla’s bug bounty program pays researchers who can discover a bug in Firefox’s sandbox as much as $20,000 — the best reward out there. Regardless of the top-dollar bounty, nevertheless, Grinstead says Mythos is discovering extra sandbox points than human researchers ever did. “We do get them,” he instructed TechCrunch, “however not on the quantity that we’re capable of finding with this system.”
Notably, the Firefox crew nonetheless isn’t utilizing AI to repair the bugs, regardless of well-documented progress in AI coding instruments. The crew does ask AI to code up patches for every bug, however the ensuing code normally can’t be deployed immediately, and as an alternative serves as a mannequin for a human engineer.
“For the bugs we’re speaking about on this submit, each single one is one engineer writing a patch and one engineer reviewing it,” Grinstead says. “We’ve not discovered it to be automatable.”
It’s nonetheless not clear how AI’s rising capabilities will change the broader steadiness of energy in cybersecurity. One month since Mythos was previewed, a lot of the bugs found doubtless haven’t been patched, which makes it onerous to seize the total scope of their affect. Anthropic has been scrupulous about following accountable disclosure norms, nevertheless it’s doubtless dangerous actors are utilizing comparable methods behind the scenes, even when the fashions they’re utilizing aren’t fairly pretty much as good.
Talking at a recent event, Anthropic CEO Dario Amodei was optimistic that the brand new instruments would in the end favor defenders. “If we deal with this proper, we might be in a greater place than we began, as a result of we fastened all these bugs. There are solely so many bugs to seek out,” Amodei stated. “So I believe there’s a greater world on the opposite facet of this.”
Having handled the gritty particulars, Grinstead has a extra measured view: “It’s helpful for each attackers and defenders, however having the software out there shifts the benefit a bit of bit to protection. Realistically, no person is aware of the reply to this but.”
If you buy by way of hyperlinks in our articles, we may earn a small commission. This doesn’t have an effect on our editorial independence.
