Devoured - April 22, 2026
The zero-days are numbered (4 minute read)

The zero-days are numbered (4 minute read)

DevOps securityaifirefox Read original

Mozilla used advanced AI models to find and fix 271 security vulnerabilities in Firefox in a single release, demonstrating that AI can now match elite human security researchers in discovering complex bugs.

What: Mozilla collaborated with Anthropic to use Claude Mythos Preview to scan Firefox's codebase for security vulnerabilities, resulting in 271 fixes in Firefox 150 and 22 fixes in Firefox 148 from an earlier scan with Opus 4.6.
Why it matters: This represents a fundamental shift in security dynamics—AI can now reason through source code like elite human researchers could, potentially giving defenders the ability to comprehensively find and fix all vulnerabilities before attackers exploit them, ending the era where attackers held a structural advantage.
Takeaway: Security teams should explore using frontier AI models to scan their codebases for vulnerabilities, as these tools can now match elite human researchers in finding complex bugs that traditional automated tools like fuzzers miss.
Deep dive
  • Mozilla partnered with Anthropic to use advanced AI models (Claude Opus 4.6 and Claude Mythos Preview) to systematically scan Firefox for security vulnerabilities
  • The initial scan with Opus 4.6 led to 22 security-sensitive bug fixes in Firefox 148, while Mythos Preview identified 271 vulnerabilities fixed in Firefox 150
  • Mozilla's security team states that Mythos Preview matches the capability of elite human security researchers in finding bugs, with no category or complexity of vulnerability beyond its reach
  • Until recently, computers were completely incapable of reasoning through source code to find vulnerabilities the way human experts do—traditional automated tools like fuzzers provide uneven coverage
  • Security has historically been "offensively-dominant" where attackers held an asymmetric advantage because they only needed to find one vulnerability while defenders had to protect the entire attack surface
  • The AI's ability to match human researchers closes the gap between machine-discoverable and human-discoverable bugs, making all discoveries cheap and eroding attackers' long-term advantage of concentrating expensive human effort on finding single bugs
  • Mozilla hasn't seen any bugs that couldn't have been found by elite human researchers, suggesting the vulnerability space is finite rather than unbounded
  • The team believes software like Firefox is complex but not arbitrarily complex due to its modular design for human reasoning, making comprehensive vulnerability elimination theoretically achievable
  • Mozilla expresses optimism that defenders can now "win decisively" by systematically finding all finite defects in human-comprehensible codebases
  • The article includes a cautionary note that AI-generated code could create codebases surpassing human comprehension, which must be avoided for critical software like browsers and operating systems
  • The team had to reprioritize everything to handle the massive influx of vulnerability reports, describing initial "vertigo" at the scale of findings
Decoder
  • Zero-day: A security vulnerability unknown to the software vendor with no patch available (the title "zero-days are numbered" means their days are numbered)
  • Claude Mythos Preview: An early version of Anthropic's frontier AI model capable of reasoning through source code to find security vulnerabilities
  • Fuzzing: An automated testing technique that provides random or malformed input to software to find bugs, but with uneven coverage
  • Defense-in-depth: A security strategy using multiple layers of overlapping defenses to protect against attacks
  • Process sandbox: A security mechanism that isolates each website in its own restricted process to limit damage from exploits
  • Offensively-dominant: A security landscape where attackers have a structural advantage because they only need to find one vulnerability while defenders must protect everything
Original article

Mozilla reports that using advanced AI models, it identified and fixed hundreds of security vulnerabilities in Firefox—271 in a single release—demonstrating that AI can now match top human researchers in finding complex bugs.