AI Scans Firefox Code

Software bugs are hidden mistakes in code; security bugs are the ones attackers can turn into break-ins. Mozilla said Firefox 150 fixed 271 vulnerabilities identified during an early evaluation of Anthropic’s Claude Mythos Preview. (blog.mozilla.org) Mozilla published that account on April 21, 2026, and said the fixes shipped in Firefox 150 that same week. The company described the work as part of a continued collaboration with Anthropic on browser security. (blog.mozilla.org) Anthropic had already disclosed an earlier phase of the partnership on March 6, 2026. In that test, Claude Opus 4.6 found 22 Firefox vulnerabilities in two weeks, including 14 that Mozilla rated high severity. (anthropic.com) Browsers are a hard target because they process untrusted websites all day, and a single missed flaw can let an attacker steal data or run code. Mozilla’s security advisories define critical bugs as ones that can let attacker code run with no more than normal browsing. (anthropic.com) (mozilla.org) Anthropic says its security system does not work like older rule-based scanners that look for known bad patterns. It says Claude Code Security reads a codebase more like a human reviewer, traces how data moves through the program, and then suggests patches for human approval. (anthropic.com) Mozilla said its own security work had leaned heavily on dynamic analysis, including fuzzing, which bombards software with unexpected inputs to shake loose crashes. The company said the Anthropic tests added a different method: scanning source code for latent flaws before attackers find them. (blog.mozilla.org) Anthropic said it first tested Claude on older Firefox common vulnerabilities and exposures, or CVEs, before moving to current code. The company said Firefox was chosen because it is a large, heavily tested open-source browser used by hundreds of millions of people. (anthropic.com) The companies also framed the work as a defensive-security project, not an autonomous patch pipeline. Anthropic said nothing is applied without human approval, and Mozilla said its engineers validated findings and shipped the fixes. (anthropic.com) (blog.mozilla.org) Mozilla’s public post went further than a raw bug count. It said, “So far we’ve found no category or complexity of vulnerability that humans can find that this model can’t,” a claim that will put more attention on how browser makers audit old C++ code and maintain process sandboxes. (blog.mozilla.org) For Firefox users, the immediate fact is simpler: the browser’s latest release includes the fixes, and Mozilla is telling people this was not a lab demo detached from production. It was a code review effort that ended in shipped patches. (blog.mozilla.org)