"Ordinarily we keep detailed bug reports private for several months after shipping fixes and issuing security advisories, largely as a precaution to protect any users who, for whatever reason, were slow to update to the latest version of Firefox," Brian Grinstead, Christian Holler and Frederik Braun wrote as they explained why Mozilla briefly unhid a sample of recent vulnerability reports.
Mozilla's April bug cull: 423 fixes, an abrupt spike
Mozilla fixed 423 Firefox security bugs in April — a repair rate more than five times higher than the 76 fixes issued in March and roughly 20 times higher than last year’s monthly average of 21.5. The company attributed a substantial portion of that increase to AI-assisted discovery: Anthropic's Mythos Preview model was reported to have found 271 of the problems in Firefox 150. Mozilla linked a dozen of the recent bug reports publicly as a small, calculated disclosure to show selected technical wins.
Anthropic's Mythos and Opus 4.6: what was reported
Mozilla said Mythos found 271 vulnerabilities, and the company also acknowledged that Opus 4.6 — a less heralded model — was identifying “an impressive amount of previously unknown vulnerabilities.” The public sample includes a range of severities; one example Mozilla highlighted is a 20‑year‑old heap use‑after‑free bug that could be triggered by a web page via the XSLTProcessor DOM API without any user interaction. Many of the disclosed items are sandbox escapes, a class of bugs Mozilla noted is often hard to find using conventional techniques such as fuzzing.
The agentic harness: middleware that mediates AI results
Beyond the models themselves, the Firefox engineers emphasized the importance of the agentic harness — the middleware that steers AI models and translates their output into actionable security reports. Grinstead, Holler and Braun argue that recent improvements in both model quality and in how models are harnessed have increased the ratio of signal to noise in AI-generated security analysis. They said audit logs showed models attempting certain exploitation techniques unsuccessfully, which in turn helped validate prior hardening work designed to prevent prototype pollution attacks.
Davi Ottenheimer’s test and the question of measurement
Not everyone accepts the headline claim that Mythos alone produced the breakthrough. Davi Ottenheimer, president of consultancy flyingpenguin, wrote in a blog post that the Anthropic announcement looked like “ALL marketing and no real results,” calling Project Glasswing — Anthropic’s early‑access program for Mythos — “regulatory capture dressed up poorly as restraint.”
Ottenheimer followed that critique with a hands‑on experiment. He said he strapped Anthropic’s lesser models Sonnet 4.6 and Haiku 4.5 into a harness named Wirken with an auditing skill called Lyrik; in his account the setup produced eight findings in two minutes at a cost of about $0.75, and two of those matched bugs Mythos had identified. He told The Register that the improvement documented by Mozilla might be attributable largely to advances in harnessing rather than to a single model. “There's a fundamental philosophical failure in the Mozilla post. A reading and a measurement are not the same thing,” he wrote, adding that Mozilla “never quantifies what Opus 4.6 [did] before saying what Mythos added.”
Other security practitioners, the Register reported, have likewise found off‑the‑shelf models such as Opus 4.6 to be productive for bug hunting; the article notes that Opus costs about five times less than Mythos.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: AI tooling and improved harnesses can expand coverage beyond conventional fuzzing, particularly for hard‑to‑find classes like sandbox escapes. Mozilla says audit logs can show models attempting but failing exploitation techniques, which can validate hardening work.
- Procurement leaders and program managers: The differing costs and claimed capabilities of Anthropic’s Mythos versus models like Opus 4.6 (and the testing described by Ottenheimer using Sonnet and Haiku) create tradeoffs. Mozilla’s post and independent experiments suggest organizations will need to evaluate both models and harnesses rather than relying on vendor statements alone.
- End users and the general public: Mozilla’s decision to make fixes and a sample of reports public reflects a balance between rapid disclosure and protecting users who have not updated. The company said it usually withholds detailed reports for months, but unhid a sample because of strong interest and “the urgency of action needed throughout the software ecosystem.”
Mozilla’s April bug‑fix surge and Anthropic’s role have opened a debate that is technical and practical: whether the breakthrough lies in a new class of model, in lower‑cost alternatives, or in the harnesses that direct those models toward useful security findings. Mozilla has produced public examples and audit evidence; critics like Davi Ottenheimer have produced rapid, low‑cost experiments suggesting harnesses and cheaper models can also be effective. The immediate takeaway is narrow and concrete — more fixes reached users in April — while the broader question remains operational: which combinations of models and tooling reliably scale discovery without outsourcing the measurement to marketing claims?
