Anthropic’s Mythos AI uncovers record bug haul in Firefox, boosting security
Key Points
- Anthropic’s Mythos AI identified dozens of high‑severity bugs in Firefox, many older than a decade.
- Firefox shipped 423 bug fixes in April 2026, up from 31 a year earlier.
- Mythos self‑filters reports, dramatically reducing false positives.
- Two sandbox vulnerabilities and a long‑standing HTML parser error were among the findings.
- Human engineers still write and review patches; AI‑generated code isn’t deployed directly.
- Anthropic follows responsible disclosure, but warns attackers could adopt similar methods.
- Industry experts see the tool shifting advantage toward defenders, though full impact is unclear.
Mozilla’s Firefox team says Anthropic’s new Mythos model has identified dozens of high‑severity vulnerabilities, many lurking for over a decade. The AI‑driven scans helped the browser ship 423 bug fixes in April 2026, a stark jump from 31 the previous year. Researchers credit the model’s ability to self‑filter false positives and generate detailed reports, though human engineers still write and review patches. The breakthrough signals a shift in software security, but Mozilla warns that attackers could eventually co‑opt similar tools.
When Anthropic released its Mythos model in April, the company warned developers that the system could spot thousands of high‑severity bugs before public rollout. Mozilla’s Firefox engineers have now put that claim to the test, reporting a surge of critical vulnerability discoveries that reshaped the browser’s security posture.
In a Thursday post, the Firefox team disclosed that Mythos uncovered a “wealth of high‑severity bugs,” some hidden in the codebase for more than ten years. The AI’s findings translated into 423 bug fixes shipped in April 2026, a dramatic increase from the 31 patches released in the same month a year earlier.
What sets Mythos apart from earlier AI security tools is its ability to assess its own output and weed out low‑quality reports. “It is difficult to overstate how much this dynamic changed for us over a few short months,” the researchers wrote. The model’s self‑filtering reduced false positives, allowing engineers to focus on genuine threats.
Among the disclosed vulnerabilities were two unusual sandbox flaws and a 15‑year‑old error in the browser’s HTML parser. The sandbox issues are especially noteworthy because exploiting them requires a sophisticated, multi‑step attack. Mozilla’s bug bounty program offers up to $20,000 for sandbox discoveries—the highest reward available—yet Mythos identified more sandbox bugs than human researchers have ever reported.
Brian Grinstead, a distinguished engineer at Mozilla, told TechCrunch that the AI’s performance “suddenly very good.” He emphasized that while Mythos generates detailed patch suggestions, the code still needs human review and refinement. “Every single one is one engineer writing a patch and one engineer reviewing it,” Grinstead said.
Anthropic has adhered to responsible disclosure practices, but the company acknowledges that malicious actors could eventually harness similar techniques. At a recent event, Anthropic CEO Dario Amodei expressed optimism, suggesting that the tool could tilt the balance toward defenders. “If we handle this right, we could be in a better position than we started, because we fixed all these bugs,” he said.
The broader implications for cybersecurity remain uncertain. While Mythos has accelerated bug discovery, the patch‑creation process still relies on human expertise. The industry watches closely to see whether future AI models will bridge that gap and automate remediation without sacrificing safety.
For now, Firefox’s experience demonstrates that advanced AI can dramatically amplify a security team’s effectiveness, delivering a volume of high‑impact fixes that would have been unimaginable just months ago. As more software vendors explore agentic AI systems, the race to secure code may hinge on how quickly teams can integrate these tools while maintaining rigorous human oversight.