Mozilla has revealed that Anthropic’s Mythos AI model helped its security team identify 271 vulnerabilities in Firefox over a two-month period, and the company claims the results contain almost no false positives. The disclosure offers a rare, detailed look at how large language models can be harnessed for serious software security work.
AI-assisted vulnerability discovery is not new, but it has long been plagued by a frustrating problem: hallucinated bug reports. Security researchers frequently find that models generate plausible-sounding vulnerability descriptions that fall apart under human review. The result is a flood of wasted engineering time and eroded trust in automated tools.
Mozilla Distinguished Engineer Brian Grinstead explained that the breakthrough came from two factors. First, the models themselves have improved. Second, and more importantly, Mozilla built a custom “agent harness,” a piece of code that wraps around the LLM and guides it through specific tasks using the same build tools and testing pipelines human developers rely on.
The harness gives Mythos clear instructions, such as finding a bug in a specific file, and provides access to Firefox’s sanitizer builds and fuzzing infrastructure. A second LLM then grades the output from the first, providing an additional layer of verification. Grinstead said this loop creates a deterministic success signal that gives developers the same confidence they have with traditional discovery methods.
Mozilla also published full Bugzilla reports for 12 of the 271 vulnerabilities, including test cases that trigger unsafe memory conditions. Independent researchers who reviewed the reports described them as genuinely impressive.
Why it matters
If the technique scales, it could mark a turning point in how open-source projects defend against zero-day exploits. Rather than replacing human auditors, the system amplifies their reach, allowing small security teams to cover far more code than previously possible. For the broader industry, Mozilla’s openness about methodology sets a benchmark for how AI-assisted security research should be conducted and validated.