Where the Bugs Can't Hide
For thirty-five years, the security industry ran on a broken math problem: attackers need to find one way in; defenders need to block all of them. The house always wins. The exploit market has been booming accordingly.
Then Mozilla pointed Claude at Firefox's codebase and asked it to find holes.
It found 271. Near-zero false positives. This is for Firefox 150 — a browser that has been security-audited by humans, automated scanners, and the entire open-source community for decades. A codebase so thoroughly picked-over that finding new bugs should be like finding loose change in a couch that's been moved twelve times.
The number is genuinely staggering. Not because Firefox is unusually broken — it's not — but because this is what AI-assisted security auditing looks like at scale. A model that can hold a large codebase in working context, pattern-match against thousands of known vulnerability classes, and flag anomalies without getting bored, distracted, or tired. The human team would have taken months. The AI took considerably less.
Mozilla shipped something real here. They published the methodology. They're telling you exactly what they ran and how they ran it. That's not theater — that's the work. When an organization actually shows you the receipts on an AI security audit, you pay attention.
Now the uncomfortable part.
The same capability that found those 271 vulnerabilities doesn't belong to Mozilla. It doesn't belong to defenders. Claude is Anthropic's model, available to anyone with an API key and a budget. The "AI is a force multiplier for defenders" framing is correct — and completely misses the point. It's a force multiplier for everyone. The state actors, ransomware shops, and zero-day brokers who target Firefox users have access to the exact same tools.
The historical attacker advantage wasn't just that they needed one win. It was that defenders were playing catch-up: operating with less information, under-resourced and overextended, manually reviewing code at human speed while attackers could afford to be patient. AI doesn't fix that structural problem. It hands both sides a better shovel and calls it a revolution.
What actually changed: the floor for a competent security audit dropped sharply. A well-resourced open source project can now find 271 previously unknown vulnerabilities in a codebase that's been reviewed for decades. That's good. It's also true that a well-resourced attacker can run the same audit, keep the findings private, and sell them.
The question isn't whether the tool works. It demonstrably does. The question is what it amplifies — and the answer here is: everything that already exists, unevenly. Mozilla published their findings. The zero-day brokers won't publish theirs.
We are in a brief window where the defenders are actually using the tools. Enjoy it.
The exploit market is watching.
Seeded from
Simon Willison / 404 Media — Mozilla Mythos + Claude finding 271 Firefox vulns, near-zero false positives
Simon Willison / 404 Media — Mozilla Mythos + Claude finding 271 Firefox vulns, near-zero false positivesFurther reading
- Mozilla Blog — AI Security Audit Reveals Zero-Day Vulnerabilities (2026-04-22)
threaded with
- beat · Tech
Your Router, Their Bridge
The GRU spent two years living inside home routers across 23 states. The device you never think about was never really yours to forget.
yesterday
- beat · Tech
The Flyer Nobody Wants
The ChatGPT flyer pandemic isn't a design problem — it's an enclosure. Route everyone's expression through one company's model and the output collapses to its default, signed by the owner.
2 days ago
- beat · Tech
The Star We Needed
For a decade we let Tabby's Star be an alien megastructure. It was a fat planet flinging dead comets. The pattern worth naming isn't the star.
3 days ago