Claude Mythos finds 271 bugs

Software security starts with bug hunting: researchers read huge codebases looking for small mistakes that can crash a program or let attackers take control. Mozilla said Anthropic’s Claude Mythos found 271 vulnerabilities in Firefox in a single early evaluation, and the fixes shipped in Firefox 150 on April 21. (blog.mozilla.org) Mozilla’s Firefox team said it had already been testing frontier models since February. An earlier scan with Claude Opus 4.6 helped fix 22 security-sensitive bugs in Firefox 148, before Mythos produced a much larger batch for Firefox 150. (blog.mozilla.org, blog.mozilla.org) Firefox 150’s security advisory lists more than 40 CVEs, including three findings credited to researchers “using Claude from Anthropic.” Mozilla’s advisory says some of the memory-safety bugs in this release could likely have been exploited to run arbitrary code. (mozilla.org, mozilla.org) A zero-day is a software flaw the vendor does not know about yet, which means defenders have had zero days to fix it before discovery. Mozilla’s Bobby Holley wrote that browser security has long favored attackers because finding rare bugs required small numbers of highly skilled specialists. (blog.mozilla.org) Holley said Mozilla has “found no category or complexity of vulnerability that humans can find that this model can’t,” and said the scale of a single Mythos scan matched elite human researchers. Anthropic said it is limiting Mythos Preview to a small group of critical-industry partners and open-source developers through Project Glasswing. (blog.mozilla.org, anthropic.com) Anthropic describes Project Glasswing as a program to give defenders an early start securing widely used software before similar models become broadly available. Its launch partners include Amazon Web Services, Apple, Google, Microsoft, NVIDIA, the Linux Foundation, and Mozilla’s collaborator list of critical software maintainers. (anthropic.com, anthropic.com) Anthropic’s own March write-up with Mozilla described how Opus 4.6 surfaced reproducible Firefox bugs with test cases that engineers could verify and patch. In its April system card, Anthropic called Mythos Preview its most capable frontier model to date and reported stronger scores than Opus 4.6 on security evaluations. (anthropic.com, www-cdn.anthropic.com) The same capability creates the central policy dispute: a model that can find flaws for defenders can also help attackers identify or exploit them faster. Anthropic’s red-team site says the company chose restricted access because it wants critical defenders to secure important systems before tools with similar capabilities spread more widely. (red.anthropic.com, anthropic.com) Mozilla’s public message was narrower than the hype around “271 bugs.” The company said those vulnerabilities came from an initial evaluation pass, while the public advisory shows only a smaller set rose to the level of named CVEs in Firefox 150. (blog.mozilla.org, mozilla.org) For Firefox users, the immediate takeaway is simple: update to Firefox 150. For software vendors, Mozilla’s April 21 release turned one AI scan into hundreds of fixes, and put access control at the center of the security debate. (developer.mozilla.org, blog.mozilla.org)