Quality assurance · Production

Mozilla hardens Firefox by fixing 271 latent security bugs with Claude Mythos Preview

The problem

Firefox contained latent security bugs that were notoriously difficult to find with traditional fuzzing, particularly sandbox escapes in the multiprocess browser engine that required complex reasoning to discover.

First attempt

Early LLM code audit experiments using GPT 4 and Sonnet 3.5 for static analysis of high-risk code showed some promise but produced a high rate of false positives that made scaling impractical, and AI-generated security reports to open source projects broadly were regarded as unwanted noise.

Workflow diagram · grounded in source
1
Prompt harness to find bug
trigger
“there is a bug in this part of the code, please find it and build a testcase”
2
AI creates dynamic test cases
ai_action
“it can create and run reproducible test cases to dynamically test hypotheses about bugs in code”
3
Validate real bugs vs noise
validation
“These can find real bugs and dismiss unreproducible speculation”
4
Parallelize across ephemeral VMs
integration
“we parallelized the jobs across multiple ephemeral VMs, each tasked to hunt for bugs within a specific target file and write its findings back to a bucket”
5
Deduplicate, track, and triage
routing
“deduplicating against known issues, tracking bugs, triaging them, and getting fixes shipped”
6
Human review and patch
human_review
“Over 100 people contributed code to this effort to ship the most secure Firefox yet. In addition to writing and reviewing patches, others have been building and scaling this pipeline, triaging, testing the fixes, and managing the release…”
7
Ship fixes in Firefox releases
output
“fixing the 271 bugs identified by Claude Mythos Preview in the 150 release”
Reported outcome

Mozilla identified and fixed 271 previously-unknown vulnerabilities using Claude Mythos Preview in Firefox 150, including 180 sec-high and 80 sec-moderate bugs, with 423 total security bugs fixed in April releases.

Reported metrics
bugs identified by Claude Mythos Preview in Firefox 150271
total security bugs fixed in April releases423
Externally reported bugs41
Sec-high bugs (of 271)180
Show all 8 reported metrics
bugs identified by Claude Mythos Preview in Firefox 150271
total security bugs fixed in April releases423
externally reported bugs41
sec-high bugs (of 271)180
sec-moderate bugs (of 271)80
sec-low bugs (of 271)11
contributors to the effortOver 100
CVEs credited directly to Anthropic3
Reported stack
Claude Mythos PreviewClaude Opus 4.6GPT 4Sonnet 3.5AddressSanitizer
Source
https://hacks.mozilla.org/2026/05/behind-the-scenes-hardening-firefox/
Read source ↗

Frequently asked questions

What did this team achieve with this AI workflow?

Mozilla identified and fixed 271 previously-unknown vulnerabilities using Claude Mythos Preview in Firefox 150, including 180 sec-high and 80 sec-moderate bugs, with 423 total security bugs fixed in April releases.

What tools did this team use?

Claude Mythos Preview, Claude Opus 4.6, GPT 4, Sonnet 3.5, AddressSanitizer.

What results were reported?

bugs identified by Claude Mythos Preview in Firefox 150: 271; total security bugs fixed in April releases: 423; Externally reported bugs: 41; Sec-high bugs (of 271): 180 (source-reported, not independently verified).

What failed first in this deployment?

Early LLM code audit experiments using GPT 4 and Sonnet 3.5 for static analysis of high-risk code showed some promise but produced a high rate of false positives that made scaling impractical, and AI-generated securit…

How is this quality assurance AI workflow structured?

Prompt harness to find bug → AI creates dynamic test cases → Validate real bugs vs noise → Parallelize across ephemeral VMs → Deduplicate, track, and triage → Human review and patch → Ship fixes in Firefox releases.