Mozilla’s latest collaboration with Anthropic’s AI model, Mythos, has ignited a fresh debate about the future of cybersecurity. The nonprofit organization revealed that Mythos identified 271 security vulnerabilities in Firefox over a two-month period, a number so high it has left both security experts and developers questioning whether AI is truly revolutionizing vulnerability discovery—or if the results are simply the product of an unprecedented, if still imperfect, tool. What is clear is that Mozilla’s use of Mythos has pushed the boundaries of what’s possible in automated security testing, even as critics demand more transparency and independent verification of the claims.
The announcement comes as Mozilla and Anthropic continue to refine their partnership, which began earlier this year with the use of Anthropic’s Claude Opus 4.6 model. That initial effort uncovered 22 security-sensitive bugs in Firefox 148, 14 of which Mozilla rated as high-severity. Now, with Mythos, the numbers are dramatically higher: 271 vulnerabilities, including 180 classified as “sec-high,” meaning they can be exploited through normal user behavior, such as visiting a web page. Only vulnerabilities rated “sec-critical” (reserved for zero-days) are considered more severe. The remaining bugs were rated as “sec-moderate” (80) or “sec-low” (11).
Mozilla’s characterization of Mythos as having “almost no false positives” is a bold assertion, one that has drawn skepticism from the cybersecurity community. Critics point out that Mozilla does not typically obtain CVE (Common Vulnerabilities and Exposures) designations for internally discovered security bugs. Instead, these vulnerabilities are bundled into single patches and reported through Mozilla’s Bugzilla system, often hidden for several months after fixes are applied to protect users who may not patch immediately. While Mozilla has now revealed a dozen of these bugs, critics argue that the selection may be cherry-picked, obscuring less accurate or more problematic results.
Why the Numbers Matter—and Why They’re Controversial
The sheer volume of vulnerabilities found by Mythos—more than twelve times the number discovered by Claude Opus 4.6—has left some security experts with a sense of “vertigo,” as Mozilla CTO Bobby Holley described it. The implication is that AI models like Mythos could soon make it possible to identify the vast majority of latent security flaws in complex software, a prospect that could reshape how developers and security teams approach vulnerability management. However, the lack of independent verification and the absence of CVE listings for these bugs have fueled doubts about whether the results are as robust as Mozilla claims.
Anthropic’s Mythos model is part of a broader trend in AI-assisted security research, where frontier models are being tested for their ability to autonomously identify high-severity vulnerabilities. Earlier this year, Anthropic announced that it was limiting the initial release of Mythos to a select group of industry partners, citing concerns about the potential for misuse. Mozilla’s collaboration with Anthropic is framed as a step toward improving the security of open-source software, but the partnership has also raised questions about whether the results are being used to promote AI-driven security tools more broadly.
Mozilla’s Transparency—and Its Limits
Mozilla has taken steps to address skepticism by disclosing more details about the process and the bugs identified. In a recent blog post, Mozilla’s Brian Grinstead acknowledged the skepticism surrounding AI-assisted vulnerability discovery, noting that the tech community has grown weary of “slop commits”—low-quality or irrelevant code changes—that can clutter repositories. “We felt it was important to show some of our work, open up some of the bugs, and talk about it in a little more detail as a way to hopefully spur some action or continue the conversation,” Grinstead said. He emphasized that Mozilla’s motivation is not marketing but rather a desire to demonstrate the potential of AI-assisted techniques for vulnerability discovery.
Yet, the debate is far from settled. While Mozilla has released details about a subset of the vulnerabilities, the full scope of Mythos’s capabilities—and its limitations—remains unclear. The company’s policy of bundling internally discovered vulnerabilities into single patches, rather than assigning individual CVEs, means that external researchers and security teams cannot easily audit or replicate the findings. This opacity has led some to question whether the results are as groundbreaking as they seem, or if they reflect a more targeted or selective process.
What’s Next for AI and Cybersecurity?
Mozilla and Anthropic have not yet announced the next steps for their collaboration, but the implications of this work extend far beyond Firefox. If AI models like Mythos can reliably identify a large number of vulnerabilities with minimal false positives, the technology could become a standard tool in the cybersecurity arsenal. However, the path forward will require greater transparency, independent verification, and collaboration among industry partners to ensure that these tools are used responsibly and effectively.
For now, the cybersecurity community remains divided. Some see Mozilla’s results as evidence of a coming revolution in how vulnerabilities are discovered and patched. Others view the claims with caution, arguing that more rigorous testing and independent validation are needed before AI-assisted vulnerability discovery can be trusted as a reliable method. As the debate continues, one thing is certain: the conversation about the role of AI in cybersecurity is only just beginning.
Mozilla has not yet announced a specific timeline for further updates or public demonstrations of Mythos’s capabilities. However, the organization has indicated that it will continue to engage with the security community to address questions and concerns. For the latest official updates, visit Mozilla’s security blog here.
What do you think about the future of AI in cybersecurity? Share your thoughts in the comments below or on our social media channels.
