Table of Contents
Mozilla revealed on Tuesday that early access to Anthropic’s Mythos Preview model allowed it to flag 271 security vulnerabilities ahead of the Firefox 150 release last week. Firefox CTO Bobby Holley made the disclosure in a blog post, framing the result as a turning point for software defenders who have spent decades on the losing side of the cybersecurity arithmetic.
Key Takeaways:
- Mythos Preview identified 271 vulnerabilities in Firefox 150 source code, compared to just 22 found by Anthropic’s Opus 4.6 in the previous Firefox version.
- Mozilla CTO Raffi Krikorian argues that volunteer-maintained open source projects, which power much of the internet, urgently need access to tools of this caliber.
- Anthropic restricted Mythos Preview to a small set of critical industry partners earlier this month, citing the model’s offensive potential.
Anthropic announced Mythos Preview earlier this month and immediately limited its initial availability to “a limited group of critical industry partners,” citing concerns about its capabilities. That decision sparked argument across the security community: was the company sounding a real alarm about AI-aided hacking, or padding a routine capability bump with marketing weight? Mozilla’s numbers offer the first concrete data point in that debate.
Holley did not specify how serious each of the 271 issues was, but he supplied a useful comparison. Anthropic’s previous flagship, Opus 4.6, surfaced only 22 security-sensitive bugs when it analyzed Firefox 148 last month. The jump from 22 to 271 in a single model generation, against codebases of similar complexity, is what prompted his confident assessment that “defenders finally have a chance to win, decisively.”
“We’ve rounded the curve”
The bugs Mythos surfaced were not, in principle, beyond human reach. Holley noted that automated fuzzing or an “elite security researcher” working through Firefox’s source code could have located the same flaws. The difference is economic. Mythos eliminated the need to “concentrate many months of costly human effort to find a single bug” in many cases, he wrote. When discovery becomes cheap, the side that benefits most is the side patching holes rather than exploiting them.
“Computers were completely incapable of doing this a few months ago, and now they excel at it,” Holley wrote. “We have many years of experience picking apart the work of the world’s best security researchers, and Mythos Preview is every bit as capable.”
Speaking with Wired, Holley suggested the practice will quickly become non-optional across the software industry. AI-aided vulnerability analysis is something that “every piece of software is going to have to [engage with], because every piece of software has a lot of bugs buried underneath the surface that are now discoverable.” Future models may catch what Mythos missed, but Holley said he was confident that “at least on the Firefox side, having had a bit of a head start here, that we’ve rounded the curve.”
Open source projects face the steepest climb
The implications extend well past Mozilla’s own browser. Open source projects underpin enormous portions of the modern internet, and their public codebases are exactly the kind of material AI systems can ingest and probe most easily. Many of those projects rely on a thin layer of unpaid volunteer maintenance, which leaves their security posture chronically underfunded relative to their importance.
Mozilla CTO Raffi Krikorian made that argument directly in a New York Times essay last week. He framed the rough parity between attackers and defenders as a function of how hard software is to build and audit, and warned that Mythos-class tools could collapse that balance overnight if access stays asymmetric. “The programmer who gave 20 years of his life to maintain [open source] code that runs inside products used by billions of people? He doesn’t have access to Mythos yet. He should,” Krikorian wrote.
The question now is whether Anthropic and its peers can broaden access fast enough for the maintainers Krikorian describes, before less scrupulous parties build equivalent tooling of their own. Mozilla, with its head start, sounds confident. The rest of the open source ecosystem is still waiting for the keys.
Read More: Ukraine Hit Two Expensive Jets 1,700 km Away From Its Borders
