Mozilla Fixes Record 423 Firefox Bugs in One Month
Mozilla Corp. has shattered its internal security records: It announced the repair of 423 Firefox vulnerabilities in April, a correction rate five times higher than the previous month and nearly 20 times the company’s 2025 monthly average of 21.5 fixes.
The catalyst for the spike is an agentic artificial intelligence (AI) pipeline built around Anthropic’s high-end Claude Mythos Preview model. According to Mozilla, AI was responsible for identifying 271 of the month’s total vulnerabilities. The release of Firefox 150 served as the primary vehicle for these fixes, with 180 of the AI-discovered bugs classified as “high severity,” or vulnerabilities that could be exploited simply by a user visiting a malicious webpage.
Mozilla engineers Brian Grinstead, Christian Holler, and Frederik Braun credit the transformation not just to better models, but to the “agentic harness” — the middleware that directs the AI. Unlike earlier iterations that produced slop or false positives, the new system forces the AI to generate and execute reproducible proof-of-concept test cases to validate its findings.
“Over the past few months, AI-generated security reports have gone from slop to rather more tasty,” the team said. Notably, AI surfaced flaws that traditional “fuzzing” methods often miss, including a 20-year-old heap use-after-free bug in the XSLT engine and several complex sandbox escapes.
Despite the impressive numbers, some industry experts remain wary of the narrative. Anthropic has restricted access to Mythos via its Project Glasswing consortium, claiming the model is too dangerous for public release.
Davi Ottenheimer, president of security consultancy flyingpenguin, dismissed the “danger” narrative as marketing-driven “regulatory capture.”
To prove his point, Ottenheimer ran a test using Anthropic’s cheaper, off-the-shelf models — Sonnet 4.6 and Haiku 4.5 — strapped into a custom harness. His results were telling: eight vulnerabilities found in two minutes at a cost of just 75 cents. Two of those findings matched the bugs identified by the restricted Mythos model.
“The threat narrative so far appears to be all marketing and no real results,” Ottenheimer told The Register. He criticized Mozilla’s reporting as circular logic, noting that the browser maker failed to provide a transparent comparison showing what Mythos could find that cheaper models or existing tools could not.
Regardless of the debate over which model is superior, Mozilla is urging the software ecosystem to adopt AI-driven remediation immediately. The organization is moving toward integrating this pipeline into its continuous integration (CI) system to scan incoming code patches in real-time.
By unhiding a sample of these bug reports, Mozilla hopes to demonstrate that the era of “manual” bug hunting is evolving.
Whether this shift represents a true “step change” in security or a sophisticated marketing win for AI providers, the result remains the same: a significantly more hardened Firefox browser for millions of users.
