Anthropic's Model Found Zero‑Days
What happened
- Anthropic's Claude Mythos model reportedly discovered hundreds of historic zero-day vulnerabilities in Firefox during internal testing. - The company said the model found 271 zero-days and even generated exploit code for old flaws. - Anthropic delayed a model release after its bug-hunting proved 'too effective', underscoring AI's ability to surface security gaps and the challenge of timely patching ( ).
Why it matters
A zero-day is a software flaw that defenders have not fixed yet, and Mozilla said Firefox 150 shipped on April 21 with patches for 271 of them found during testing with Anthropic’s Claude Mythos Preview. (blog.mozilla.org) (developer.mozilla.org) Mozilla said an early Mythos run identified those 271 vulnerabilities during an initial evaluation of Firefox, and the fixes landed in the Firefox 150 release this week. (blog.mozilla.org) (developer.mozilla.org) Anthropic said Mythos is not being made generally available and is instead being limited through Project Glasswing, a program announced April 7 with partners including Amazon Web Services, Apple, Google, Microsoft, Nvidia, Cisco, CrowdStrike, JPMorganChase and the Linux Foundation. (red.anthropic.com) (anthropic.com 1) (anthropic.com 2) In plain terms, Anthropic is using a language model as an automated bug hunter: it reads code, tests edge cases, and in some cases writes proof-of-concept exploit code that shows how a flaw could be abused. Anthropic said Mythos can identify and exploit zero-days in every major operating system and every major web browser when directed to do so. (red.anthropic.com) (www-cdn.anthropic.com) Mozilla had already tested Anthropic’s earlier tooling before Mythos. In March, Mozilla said Anthropic’s Frontier Red Team had surfaced more than a dozen verifiable Firefox bugs, and Mozilla fixed those findings ahead of Firefox 148. (blog.mozilla.org) Mozilla’s post on the 271 fixes argues that the balance in browser security could change as more defenders get access to systems that can search for subtle bugs faster than human teams alone. Anthropic’s own write-up says more than 99% of the vulnerabilities it has found across its testing remain unpatched, which is why it is withholding broad release. (blog.mozilla.org) (red.anthropic.com) Outside reporting added detail on the Firefox test. Ars Technica, Wired and SecurityWeek each reported that Mythos also generated exploit code for older Firefox flaws, citing Mozilla and Anthropic’s descriptions of the model’s security work. (arstechnica.com) (wired.com) (securityweek.com) Mozilla has not published a public list in its blog post naming all 271 findings one by one, but its security advisories track Firefox vulnerabilities by severity and release. Mozilla defines critical flaws as bugs that can let attackers run code and install software through normal browsing, and high-severity flaws as bugs that can expose data or inject code across sites. (mozilla.org 1) (mozilla.org 2) The immediate result is concrete: Firefox users got a browser update with hundreds of security fixes, and Anthropic kept the model behind a restricted-access program instead of a public launch. That leaves Mozilla patching and Anthropic screening who gets the bug hunter next. (blog.mozilla.org) (red.anthropic.com) (anthropic.com)
Key numbers
- The company said the model found 271 zero-days and even generated exploit code for old flaws.
- A zero-day is a software flaw that defenders have not fixed yet, and Mozilla said Firefox 150 shipped on April 21 with patches for 271 of them found during testing with Anthropic’s Claude Mythos Preview.
- (blog.mozilla.org) (developer.mozilla.org) Mozilla said an early Mythos run identified those 271 vulnerabilities during an initial evaluation of Firefox, and the fixes landed in the Firefox 150 release this week.
- In March, Mozilla said Anthropic’s Frontier Red Team had surfaced more than a dozen verifiable Firefox bugs, and Mozilla fixed those findings ahead of Firefox 148.
What happens next
- (blog.mozilla.org) Mozilla’s post on the 271 fixes argues that the balance in browser security could change as more defenders get access to systems that can search for subtle bugs faster than human teams alone.
- (mozilla.org 1) (mozilla.org 2) The immediate result is concrete: Firefox users got a browser update with hundreds of security fixes, and Anthropic kept the model behind a restricted-access program instead of a public launch.
- That leaves Mozilla patching and Anthropic screening who gets the bug hunter next.
Quick answers
What happened in Anthropic's Model Found Zero‑Days?
Anthropic's Claude Mythos model reportedly discovered hundreds of historic zero-day vulnerabilities in Firefox during internal testing. The company said the model found 271 zero-days and even generated exploit code for old flaws. Anthropic delayed a model release after its bug-hunting proved 'too effective', underscoring AI's ability to surface security gaps and the challenge of timely patching ( ).
Why does Anthropic's Model Found Zero‑Days matter?
A zero-day is a software flaw that defenders have not fixed yet, and Mozilla said Firefox 150 shipped on April 21 with patches for 271 of them found during testing with Anthropic’s Claude Mythos Preview. (blog.mozilla.org) (developer.mozilla.org) Mozilla said an early Mythos run identified those 271 vulnerabilities during an initial evaluation of Firefox, and the fixes landed in the Firefox 150 release this week. (blog.mozilla.org) (developer.mozilla.org) Anthropic said Mythos is not being made generally available and is instead being limited through Project Glasswing, a program announced April 7 with partners including Amazon Web Services, Apple, Google, Microsoft, Nvidia, Cisco, CrowdStrike, JPMorganChase and the Linux Foundation. (red.anthropic.com) (anthropic.com 1) (anthropic.com 2) In plain terms, Anthropic is using a language model as an automated bug hunter: it reads code, tests edge cases, and in some cases writes proof-of-concept exploit code that shows how a flaw could be abused. Anthropic said Mythos can identify and exploit zero-days in every major operating system and every major web browser when directed to do so. (red.anthropic.com) (www-cdn.anthropic.com) Mozilla had already tested Anthropic’s earlier tooling before Mythos. In March, Mozilla said Anthropic’s Frontier Red Team had surfaced more than a dozen verifiable Firefox bugs, and Mozilla fixed those findings ahead of Firefox 148. (blog.mozilla.org) Mozilla’s post on the 271 fixes argues that the balance in browser security could change as more defenders get access to systems that can search for subtle bugs faster than human teams alone. Anthropic’s own write-up says more than 99% of the vulnerabilities it has found across its testing remain unpatched, which is why it is withholding broad release. (blog.mozilla.org) (red.anthropic.com) Outside reporting added detail on the Firefox test. Ars Technica, Wired and SecurityWeek each reported that Mythos also generated exploit code for older Firefox flaws, citing Mozilla and Anthropic’s descriptions of the model’s security work. (arstechnica.com) (wired.com) (securityweek.com) Mozilla has not published a public list in its blog post naming all 271 findings one by one, but its security advisories track Firefox vulnerabilities by severity and release. Mozilla defines critical flaws as bugs that can let attackers run code and install software through normal browsing, and high-severity flaws as bugs that can expose data or inject code across sites. (mozilla.org 1) (mozilla.org 2) The immediate result is concrete: Firefox users got a browser update with hundreds of security fixes, and Anthropic kept the model behind a restricted-access program instead of a public launch. That leaves Mozilla patching and Anthropic screening who gets the bug hunter next. (blog.mozilla.org) (red.anthropic.com) (anthropic.com)
