Mozilla Used Claude Mythos to Find 271 Firefox Bugs — Almost No False Positives

Mozilla shipped Firefox 150 with fixes for 271 security vulnerabilities discovered by Anthropic's Claude Mythos Preview. Of those, 180 carried Mozilla's highest internal severity rating: sec‑high — bugs exploitable through normal browsing. Another 80 landed at sec‑moderate, 11 at sec‑low. Ars Technica reported Firefox averaged just 20‑25 security fixes per month throughout 2025. In April 2026, the team shipped 423 total fixes, 271 tied directly to Mythos.

The model alone didn't produce these results. Mozilla built a custom agent wrapper — code that drives the LLM in a structured loop with access to Firefox's build systems, fuzzing infrastructure, and sanitizer builds. Mozilla Distinguished Engineer Brian Grinstead described it to Ars Technica: "the code that drives the LLM in order to accomplish a goal. It gives the model instructions, provides it tools, then runs it in a loop until completion." The wrapper transformed Mythos from a passive code reviewer into an active agent.

Mozilla's AI bug‑hunting pipeline runs in four stages. First, Mythos inspects a source file and crafts a test case — often HTML designed to trigger unsafe behavior. Second, the test runs against a Firefox sanitizer build. A crash equals a confirmed bug. Third, a second LLM grades the output. Fourth, a human engineer performs final review. The sanitizer build provides an unambiguous success signal — the binary crashes or it doesn't. That binary gate eliminated the hallucination problem. Business Insider noted one bug had gone undetected by fuzzers for years.

Earlier AI bug‑finding produced what Mozilla engineers called "unwanted slop" — plausible‑sounding bug reports that were wrong. The Mythos wrapper changed the economics. Grinstead told Ars Technica the reports now have "almost no false positives." Mozilla unhid 12 Bugzilla reports as evidence. The key insight: when your success signal is a sanitizer crash, there is nothing to hallucinate. The binary tells the truth.

The jump from Opus 4.6 to Mythos Preview quantifies the acceleration. Opus found 22 bugs in Firefox 148. Mythos found 271 in Firefox 150 — a 12x increase between consecutive releases. Mozilla CTO Bobby Holley wrote on the Mozilla blog: "computers were completely incapable of doing this a few months ago, and now they excel at it." Mozilla plans to integrate AI analysis directly into the Firefox development pipeline.

Software security has been offensively dominant for decades. Attackers need one weakness. Defenders must protect everything. AI vulnerability discovery at scale — paired with deterministic verification — flips that asymmetry. Holley's closing line on the Mozilla blog: "Defenders finally have a chance to win, decisively." The organizations that build the wrappers first will find the bugs first.