Mozilla’s security team leveraged Claude Mythos Preview to uncover and patch over a hundred hidden vulnerabilities in Firefox. The initiative, launched in early 2024, deployed agentic harnesses that generate reproducible tests, allowing developers to validate fixes before release. This effort exposed a mix of sandbox escapes, race conditions, and rare edge‑case bugs that traditional fuzzers missed.

The harness operates by parallelizing queries across dozens of virtual machines, each targeting specific source files and returning concise bug reports. Mozilla’s pipeline then deduplicates findings, tracks them through triage, and integrates fixes into the main codebase. Early results include a WebAssembly GC flaw that could enable arbitrary memory reads.

Beyond the discovered bugs, Mozilla highlighted that the AI model’s inability to bypass layered defenses validates existing hardening measures. The team froze prototype pollution vectors after earlier research exposed potential escapes, demonstrating the value of architectural changes over patch‑by‑patch fixes. This dual strategy tightens Firefox’s security perimeter.

Mozilla’s disclosure of a curated sample of bug reports—ranging from a race over IndexedDB to a NaN‑based IPC trick—offers the community a rare glimpse into the model’s analytical depth. By sharing these findings, Mozilla urges other projects to adopt similar AI‑driven pipelines, potentially accelerating the detection of elusive vulnerabilities across the open‑source ecosystem.