Mozilla validates 271 Firefox security flaws found by Anthropic Mythos with minimal false positives

Mozilla has confirmed the validation of 271 security vulnerabilities in Firefox identified by the Anthropic Mythos AI model. The company reports an exceptionally low rate of false positives, attributing the success to a custom agent harness that guides the artificial intelligence through specific testing tasks. This methodology contrasts sharply with previous AI attempts in the sector that frequently generated significant hallucinations and unreliable reports.

The findings comprise 180 issues rated as high severity, 80 as moderate, and 11 as low. Mozilla engineers state that the custom harness wraps the large language model, granting it access to internal testing tools including a sanitizer build of Firefox. The system operates in a loop where the AI crafts test cases, runs them against the tool, and receives a deterministic yes or no signal before a secondary LLM grades the output for high confidence.

Mozilla CTO Brian Grinstead confirmed that the engineering team has completely embraced this AI-assisted approach, aiming to move beyond the unreliable reports often seen in earlier experiments. He noted that the combination of improved models and the specific harness allows for scalable, reliable bug discovery. Grinstead emphasised that the initiative is driven by a desire to spur industry action rather than any marketing agenda.

To demonstrate the reliability of the process, Mozilla engineers have released full Bugzilla reports for 12 of the 271 vulnerabilities. These reports provide the specific HTML or code test cases that trigger the unsafe memory conditions, meeting the same criteria required for all security bugs in Firefox. This transparency allows external observers to verify the test cases that led to the discovery of the flaws.

Despite the technical validation, the decision to bundle all 271 findings into a single patch without assigning individual CVE designations has drawn criticism from external observers. This is standard internal practice for Mozilla, but it has fueled scepticism among those monitoring the AI security landscape for potential cherry-picking of results. Critics remain wary of the hype surrounding AI in security, even as Mozilla engineers argue the data speaks for itself.

While some researchers have described the released reports as impressive, the broader debate over the utility of AI in cybersecurity continues. Mozilla maintains that the approach unlocks the ability to operate at a scale previously impossible, giving engineers a clear signal to iterate on code fixes. The company insists there is no specific model provider being promoted, but rather a demonstration of a technique that could redefine how software is secured.