AI Finds Bugs Faster Than Fixes

Software bugs are mistakes in code; a zero-day is one the vendor does not know about yet. Mozilla said Firefox 150, released this week, patched 271 of them after testing Anthropic’s Claude Mythos Preview. (blog.mozilla.org) Mozilla said the 271 flaws came from an initial Mythos evaluation and were fixed in Firefox 150 on April 21, 2026. Firefox Chief Technology Officer Bobby Holley wrote that the team had been “working around the clock” since February using frontier AI models to find and fix latent bugs. (blog.mozilla.org) Anthropic had already used an earlier model, Claude Opus 4.6, on Firefox and said that run found 22 vulnerabilities in two weeks, 14 of them rated high severity by Mozilla. Anthropic said it chose Firefox because it is a complex, well-tested open-source browser, making it a harder benchmark than earlier codebases. (anthropic.com) Traditional bug-hunting tools like fuzzers work by blasting software with huge numbers of random inputs to see what crashes. Anthropic said Opus 4.6 instead “reads and reasons about code” more like a human researcher, tracing logic and comparing old fixes to new code paths. (red.anthropic.com) Anthropic said Mythos Preview goes further: the company reported on April 7 that the model could identify and exploit zero-days in every major operating system and every major web browser during testing. The same post said more than 99% of the vulnerabilities it had found were still unpatched, limiting what the company could disclose publicly. (red.anthropic.com) That has shifted the bottleneck from finding bugs to fixing them. Anthropic said its disclosure policy aims to “pace” reports to what maintainers can absorb, with a default 90-day timeline and human-reviewed reports that include suggested fixes where possible. (anthropic.com) Anthropic has started building programs around that mismatch. In February it launched Claude Code Security as a limited research preview for Enterprise and Team customers, saying security teams face “too many software vulnerabilities and not enough people to address them,” and that nothing is applied without human approval. (anthropic.com) In April, Anthropic expanded that approach with Project Glasswing, a coalition that includes Amazon Web Services, Apple, Cisco, Google, Microsoft, Nvidia and the Linux Foundation. Anthropic said it would provide up to $100 million in Mythos Preview usage credits and $4 million in donations to open-source security groups. (anthropic.com) Anthropic’s public newsroom shows it released Claude Opus 4.7 on April 16, 2026, one week after unveiling Mythos Preview and Project Glasswing. The company has not published a separate announcement saying it delayed Opus 4.7, but its recent security posts repeatedly say advanced bug-finding and exploit-building capabilities are shaping how and when it rolls out cyber-related tools. (anthropic.com; red.anthropic.com) For now, the clearest datapoint is Firefox: 22 bugs from one Anthropic model in March, then 271 more from Mythos in April. Mozilla said the result forced the browser team to reprioritize “everything else” to keep up with the fixes. (anthropic.com; blog.mozilla.org)