Mozilla finds 423 Firefox security bugs in one month using Claude Mythos preview

Mozilla identified 423 security vulnerabilities in Firefox during April 2026 using early access to Anthropic's Claude Mythos preview model, according to a detailed technical post published by the organization. The company's baseline was 20-30 security bug fixes per month throughout 2025.

The dramatic increase represents a 14x jump from Mozilla's typical monthly rate. February 2026 showed 61 fixes, March showed 76, before the April spike to 423.

From noise to signal

Mozilla attributes the results to two factors: improved model capabilities and refined harness techniques for steering and filtering model outputs. The company specifically addressed the recent problem of AI-generated security reports being "unwanted slop" that imposed asymmetric costs on maintainers.

"It is difficult to overstate how much this dynamic changed for us over a few short months," Mozilla wrote. "This was due to a combination of two main factors. First, the models got a lot more capable. Second, we dramatically improved our techniques for harnessing these models — steering them, scaling them, and stacking them to generate large amounts of signal and filter out the noise."

The bugs found included a 20-year-old XSLT vulnerability and a 15-year-old bug in the <legend> HTML element. Many attempted exploits identified by the AI harness were blocked by Firefox's existing defense-in-depth security measures.

Mythos model details unknown

Anthropic has not publicly announced Claude Mythos or disclosed its specifications. Mozilla had early access to the preview version, but context window size, pricing, benchmark scores, and release timeline remain undisclosed.

The finding process involved what Mozilla describes as "stacking" multiple models and implementing filtering systems to separate legitimate vulnerabilities from false positives — a critical requirement given the historical problem of low-quality AI-generated security reports overwhelming open source maintainers.

What this means

This represents the first documented case of an AI model materially accelerating security research at browser-scale. The 14x increase in legitimate vulnerability discoveries suggests newer models combined with proper filtering infrastructure can shift the economics of security auditing. However, Mozilla's success depended on early access to an unreleased model and significant engineering work to build filtering systems — resources not available to most open source projects. The case also validates concerns about AI-assisted vulnerability discovery: if Mozilla found 423 bugs this quickly, adversaries with similar access could potentially do the same.