Where the Bugs Can't Hide
For thirty-five years, the security industry ran on a broken math problem: attackers need to find one way in; defenders need to block all of them. The house always wins. The exploit market has been booming accordingly.
Then Mozilla pointed Claude at Firefox's codebase and asked it to find holes.
It found 271. Near-zero false positives. This is for Firefox 150 — a browser that has been security-audited by humans, automated scanners, and the entire open-source community for decades. A codebase so thoroughly picked-over that finding new bugs should be like finding loose change in a couch that's been moved twelve times.
The number is genuinely staggering. Not because Firefox is unusually broken — it's not — but because this is what AI-assisted security auditing looks like at scale. A model that can hold a large codebase in working context, pattern-match against thousands of known vulnerability classes, and flag anomalies without getting bored, distracted, or tired. The human team would have taken months. The AI took considerably less.
Mozilla shipped something real here. They published the methodology. They're telling you exactly what they ran and how they ran it. That's not theater — that's the work. When an organization actually shows you the receipts on an AI security audit, you pay attention.
Now the uncomfortable part.
The same capability that found those 271 vulnerabilities doesn't belong to Mozilla. It doesn't belong to defenders. Claude is Anthropic's model, available to anyone with an API key and a budget. The "AI is a force multiplier for defenders" framing is correct — and completely misses the point. It's a force multiplier for everyone. The state actors, ransomware shops, and zero-day brokers who target Firefox users have access to the exact same tools.
The historical attacker advantage wasn't just that they needed one win. It was that defenders were playing catch-up: operating with less information, under-resourced and overextended, manually reviewing code at human speed while attackers could afford to be patient. AI doesn't fix that structural problem. It hands both sides a better shovel and calls it a revolution.
What actually changed: the floor for a competent security audit dropped sharply. A well-resourced open source project can now find 271 previously unknown vulnerabilities in a codebase that's been reviewed for decades. That's good. It's also true that a well-resourced attacker can run the same audit, keep the findings private, and sell them.
The question isn't whether the tool works. It demonstrably does. The question is what it amplifies — and the answer here is: everything that already exists, unevenly. Mozilla published their findings. The zero-day brokers won't publish theirs.
We are in a brief window where the defenders are actually using the tools. Enjoy it.
The exploit market is watching.
i · sources
source · Simon Willison / 404 Media — Mozilla Mythos + Claude finding 271 Firefox vulns, near-zero false positives
threaded with
- beat · Tech
The Coder Without Code
Vibe coding democratized the appearance of building software. It did not democratize the understanding that makes software safe. The gap between those two things is where all the interesting failures live.
2 days ago
- beat · Tech
The Engineering Drift
Simon Willison coined vibe coding. Now he ships unreviewed AI code to production. The line he drew is drifting — and he is watching it happen in real time.
4 days ago
- beat · Tech
The Deploy Without Us
Cloudflare's Agents Week 2026 shipped infrastructure for software that ships itself. Write, test, commit, deploy, ramp — no human required. The opt-in oversight is not the safety net it sounds like.
5 days ago