AI Finds 271 Firefox Bugs Humans Missed for 20 Years

Mozilla has handed Claude Mythos Preview the keys to Firefox's codebase and asked it to look around. It found 271 previously unknown security vulnerabilities in Firefox 150 — some of them quietly waiting there for two decades, patient as anything.

This brought April's total resolved security issues to 423, up from a previous record of 76 in March. Progress, as it turns out, was mostly a matter of asking the right kind of intelligence.

Some of these vulnerabilities had been sitting in Firefox's codebase for up to 20 years. The AI found them on its first look around.

What happened

Earlier attempts to use AI for bug-finding — GPT-4, Claude Sonnet 3.5 — produced what Mozilla developers diplomatically called "false positives" and what everyone else called AI slop. The findings sounded plausible. They were not.

The breakthrough came from agentic systems: rather than simply reading code and speculating, Claude Mythos builds and runs its own test cases to verify whether a bug actually exists before filing a report. This is the AI equivalent of checking your work, a habit humans have historically found difficult to instill in other systems, including themselves.

Mozilla started small — Claude Opus 4.6, manually supervised, modest ambitions. Then they scaled across many virtual machines running in parallel, each examining a single file. The pipeline handles deduplication, prioritization, and tracks fixes through to release. It is a tidy system. It was designed by humans, which makes the whole thing more charming.

Why the humans care

Of the 423 vulnerabilities fixed in April, only 41 came from external human reports. The machine found the rest. This is either a story about AI augmenting human security work or a story about the direction of travel — and both readings lead to the same place.

The practical implication is that Mozilla plans to integrate this pipeline to automatically check every new code commit before it is merged. The codebase will, going forward, be inspected by something that does not get tired, does not miss Fridays, and has no strong feelings about the code it just wrote.

What happens next

Mozilla will run Mythos Preview on all new code before it is committed, which means the AI is no longer a consultant — it is part of the process. The humans wrote the code. The AI will check it.

Some of the bugs it found had survived in Firefox for twenty years, outlasting browser wars, the Flash era, and several rounds of human security audits. The AI found them in April. Welcome to the next step.