Anthropic's Claude Is Now an Elite Bug Hunter

In a two-week period, Anthropic's Claude Opus 4.6 model identified 22 vulnerabilities in the Firefox web browser, 14 of which were classified as high-severity. This number of high-severity bugs represents nearly a fifth of all such vulnerabilities that Mozilla patched in Firefox during the entirety of 2025. The collaboration between Anthropic and Mozilla saw the AI scan almost 6,000 C++ files, submitting 112 unique reports. One notable success was the model's rapid identification of a use-after-free bug in Firefox's JavaScript engine within just 20 minutes of exploration, which was then validated by human researchers. While highly effective at discovering vulnerabilities, the experiment also highlighted the model's limitations. When tasked with creating exploits for the discovered bugs, Claude Opus 4.6 was only successful in two instances, producing what were described as "crude browser exploits" unlikely to succeed in a real-world scenario. This suggests that, for now, the cost and skill required to identify vulnerabilities with AI is lower than that needed for exploitation. Mozilla has already addressed most of the discovered issues in the release of Firefox 148. The AI-assisted approach also uncovered an additional 90 lower-priority bugs. This partnership serves as a model for how AI researchers and software maintainers can collaborate to enhance security. The success of this experiment is part of a broader trend of leveraging Large Language Models (LLMs) for automated security auditing. Unlike traditional methods like fuzzing, which feeds random data to find crashes, AI models can identify complex logic errors that such techniques often miss. This new paradigm of AI-driven security analysis is being integrated into developer workflows. Autonomous AI agents are now being designed to not only find but also validate vulnerabilities with proof-of-concepts and even suggest fixes, aiming for seamless integration into CI/CD pipelines. However, the increasing use of AI in bug hunting has also led to a rise in "AI slop," or low-quality, AI-generated bug reports. Some open-source projects have seen a surge in such submissions, with one lead developer noting that fewer than one in 20 AI-generated bug reports received in 2025 were legitimate. This initiative by Anthropic and Mozilla demonstrates a significant step forward in AI-assisted security. While the technology is still evolving, it points toward a future where autonomous agents continuously monitor and help secure complex software systems, fundamentally changing the landscape of cybersecurity.