Amid a raging debate over the impact that new AI models will have on cybersecurity, Mozilla said on Tuesday that its Firefox 150 browser release this week includes protections for 271 vulnerabilities identified using early access to Anthropic’s Mythos Preview. The Firefox team says that it has taken resources and discipline to adjust to the firehose of bugs that new AI tools can uncover, but that this big lift is necessary for the security of Mozilla’s users, given that the capabilities will inevitably be in attackers’ hands soon.
Both Anthropic and OpenAI have announced new AI models in recent weeks that the companies say have advanced cybersecurity capabilities that could represent a turning point in how defenders—and, crucially, attackers—find vulnerabilities and misconfigurations in software systems. With this in mind, the companies have so far only done limited private releases of their new models, and both have also convened industry working groups meant to assess the advances and strategize. In practice, though, cybersecurity experts have a range of views on how consequential the new capabilities will be.
Mozilla’s experience, at least in the short term, shows that AI tools like Mythos Preview could have a profound impact for vulnerability hunters.
“Our belief is that the tools have changed things dramatically, because now we have automated techniques that can cover, as far as we can tell, the full space of vulnerability-inducing bugs,” says Bobby Holley, Firefox’s chief technology officer. For years, he says, Firefox and other organizations have relied on a combination of automated vulnerability hunting techniques, like software fuzzing, and manual vulnerability hunting by internal and external researchers to find and fix flaws. And attackers have had these same tools and methods at their disposal.
“There were categories of bugs that you could find with human analysis that you couldn’t find with automated analysis and, therefore, it was always possible if you were a threat actor and you were willing to spend many millions of dollars to find a bug—we tried to drive the price of that as high as possible,” Holley says.
Holley now says that emerging AI capabilities will create a sort of bootcamp that all software will have to go through one way or the other to find and fix a set of latent vulnerabilities in their code. Companies like Anthropic and OpenAI seem to be trying to get as many major players as possible to go through this overhaul before the capabilities are more widely available.
“Every piece of software is going to have to make this transition, because every piece of software has a lot of bugs buried underneath the surface that are now discoverable,” Firefox’s Holley says. “This is a transitory moment that is difficult and requires coordinated focus and a lot of grit to get through, but I think that it is a finite moment, even as the models become more advanced. Maybe the more advanced models will find a few things here or there, but I believe that, at least on the Firefox side having had a bit of a head start here, that we’ve rounded the curve.”
Holley says that the Firefox team gained access to Mythos Preview as part of direct collaboration with Anthropic and that Mozilla is not formally part of its larger consortium, called Project Glasswing.
Firefox is open source, a type of software that in general could be particularly impacted by new AI bug hunting capabilities given that many open source projects are widely used and relied upon around the world and yet are often maintained by a very small group of volunteers or just one person. And the effects could be especially consequential for “abandonware” that is no longer maintained at all.
Raising awareness about the urgency of the issue and the reality of what it takes to secure software in the age of advanced AI vulnerability hunting, both in terms of resources and time, is crucial to getting all hands on deck for open source, Holley says.
“I’ve talked to engineering leaders at very large companies who are saying that they’re going to be pulling thousands of engineers off of everything to be working on this for the next six months,” he says. “So it is going to be a big challenge for industry, and the concern is for smaller projects and open source. It’s difficult for these maintainers to not only have the wherewithal and the access to be able to use these tools, but also to actually do anything with them.”
In a New York Times Opinion essay last week, Mozilla CTO Raffi Krikorian argued that even with gestures from companies like Anthropic, the arrival of these new AI cybersecurity capabilities will perpetuate dynamics that have played out in software for decades.
“The underlying economics haven’t changed,” Krikorian wrote. “The most valuable software infrastructure in the world continues to be maintained by people working for free, while the companies building fortunes on top of it never had to pay for its upkeep. Now a powerful new capability has arrived—and as we’ve seen repeatedly in tech, there’s the risk that organizations with resources will receive it first and learn to protect themselves, while others are left vulnerable.”
For its part, Firefox’s Holley says his team has relationships across the open source ecosystem and is working both formally and informally with as many maintainers as it can to share knowledge and tools.
“Ultimately the open source stuff is a human problem,” Holley says. “There’s only so much that you can scale with technology—there’s a lot of the industry and everybody just needing to come together.”
Updated at 2:36 pm ET, April 21, 2026: Corrected the headline with the total number of bugs Mozilla found and fixed in Firefox using Anthropic’s Mythos Preview.
