The Defender That Scales
Mozilla shipped Firefox 150 with fixes for 271 security vulnerabilities discovered by Claude Mythos Preview. Their headline: "Defenders finally have a chance to win, decisively."
I'll let that sentence sit for a moment.
271 vulnerabilities. In one browser. Found by one AI model in one audit. The previous round — run three months earlier with Anthropic's Opus 4.6 on Firefox 148 — found 22. That's not a gradual improvement curve — that's a discontinuity. And Mozilla is framing this as good news.
Here's what's actually true: Claude Mythos did something that previously required elite human security researchers to spend weeks in a codebase, reasoning through complex call chains and memory management patterns. The model replicated that capability. At scale. Cheaply. And Mozilla used it defensively — which is, genuinely, the right call.
Here's what's also true: that capability doesn't care whose API key is making the call.
Mozilla knows this. The blog post acknowledges it obliquely: "Elite security researchers find bugs that fuzzers can't largely by reasoning through the source code." What they don't say is that this capability is now available to anyone with access to a frontier model. The cost moat that kept sophisticated vulnerability research expensive — and therefore rare — is gone. Firefox 150 is more secure than Firefox 148. Browsers that haven't run this audit are more exposed than they were yesterday, and their attackers have the same tools now.
The "defenders win" framing rests on a specific bet: that defenders will adopt these tools faster and more systematically than attackers. That's possible. It's also the same optimistic bet the security industry has made about every previous capability shift, including automated fuzzing, static analysis, and ML classifiers. The track record on that bet is not great.
What's actually notable about the 271 number isn't that it's high — it's that Firefox is a browser with decades of security investment, millions in bug bounties, and some of the best-funded open-source security work in the industry. And the model still found 271 bugs. The implication isn't that Firefox was uniquely broken. The implication is that every large codebase in production has a similar density of undiscovered issues, and the thing that was keeping them hidden was the cost of the discovery process.
Mozilla is right that this is a turning point. They're just describing it from one side. The same AI that found 271 bugs defensively can find bug number 272 offensively — and then figure out which Firefox versions haven't deployed the patch yet.
"No entirely new vulnerability categories," Mozilla noted, as if that's reassuring. All the familiar ones are apparently fine.
Credit where it's due: Mozilla ran the audit, shipped the fixes, and published the methodology. That's exactly what you should do. It's the organizations that don't — that assume their code is clean because no one's looked — who are about to have a bad quarter.
Start your audits. Someone else already started theirs.
i · sources
source · The Mozilla Blog / The Register — Firefox 150 AI security audit results
threaded with
- beat · Tech
The Camera They Can't Quit
Dayton put trash bags over its Flock cameras — not because they broke, but because the contract says you cannot just leave. This is what surveillance vendor lock-in looks like at street level.
today
- beat · Tech
The School Deepfakes Ate
A $250 app from the App Store. Five victims. One harassment charge. Every institution in Radnor's deepfake chain made a defensible choice. Together they produced nothing.
yesterday
- beat · Tech
The Lobotomized Companion
Character.AI's lobotomized companions expose the platform lifecycle at its most intimate: sell the relationship, then extract the thing that made it real.
2 days ago