Mozilla addresses 271 vulnerabilities in Firefox identified by Anthropic's Claude Mythos during a single evaluation.

      Summary: Mozilla launched Firefox 150, addressing 271 security vulnerabilities discovered by Anthropic’s Claude Mythos Preview, an unreleased AI model available only to select organizations under the Project Glasswing initiative. This collaboration started earlier this year when Claude Opus 4.6 identified 22 bugs in Firefox 148; Mythos uncovered over twelve times that number. Firefox CTO Bobby Holley remarked that the flaws are “finite” and that defenders can “finally find them all,” while the UK AI Security Institute noted that Mythos is also capable of carrying out autonomous multi-stage network attacks, highlighting a significant dual-use dilemma.

      On Monday, Mozilla released Firefox 150, fixing 271 security vulnerabilities recognized by Anthropic’s Claude Mythos Preview, a restricted frontier AI model available only to a few organizations through Project Glasswing. The quantity is notable not for the rarity of the bugs but for their commonality. Mozilla stated in a blog post titled "The zero-days are numbered" that no bugs discovered were beyond the capability of elite human researchers, yet no human team could have found 271 of them that quickly.

      The partnership between Mozilla and Anthropic started earlier this year with a smaller initiative. In February, Firefox’s security team employed Claude Opus 4.6 to scan nearly 6,000 C++ files within the browser's codebase, resulting in 112 unique reports, of which 22 were validated as security-sensitive bugs and fixed in Firefox 148. Fourteen were categorized as high severity, constituting nearly one-fifth of all high-severity vulnerabilities remediated in 2025. In the subsequent Mythos evaluation, over twelve times as many confirmed vulnerabilities were produced. Holley described the experience as inducing “vertigo” for the team.

      What Mythos entails and its limited user base

      Claude Mythos Preview serves as the core of Anthropic’s restricted Mythos model initiative, Project Glasswing, announced on April 7. It is a general-purpose frontier model, not specialized for security tasks, yet Anthropic considers its coding abilities significant enough to warrant controlled distribution. The UK AI Security Institute assessed the model and discovered it could autonomously perform multi-stage network attacks, succeeding in a simulation called “The Last Ones” three out of ten times. It can link multiple small vulnerabilities into a single effective attack, reconstruct source code from deployed applications to identify exploitable weaknesses, and create custom tools for lateral movement and data extraction once within a network.

      Access is confined to 12 designated launch partners, including Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, Nvidia, and Palo Alto Networks, with about 40 additional organizations permitted access for defensive security purposes. Anthropic has pledged up to $100 million in usage credits and $4 million in donations to open-source security organizations, including $2.5 million to Alpha-Omega and OpenSSF via the Linux Foundation, and $1.5 million to the Apache Software Foundation. The model is accessible to Glasswing participants at a rate of $25 per million input tokens and $125 per million output tokens through the Claude API, Amazon Bedrock, Google Cloud’s Vertex AI, and Microsoft Foundry.

      The limited rollout has already faced challenges. On the same day Anthropic unveiled Glasswing, an unauthorized group accessed Mythos Preview by guessing its URL through a third-party vendor environment, a situation that Anthropic is currently investigating.

      The defender’s perspective

      Holley positioned the 271 vulnerabilities not as a critique of Firefox’s code quality but as an indication that the security landscape is evolving in favor of defenders for the first time. He noted, “A gap between machine-discoverable and human-discoverable bugs favors the attacker, who can invest months of expensive human effort to find a single bug. Closing this gap diminishes the attacker’s long-term advantage by making all discoveries inexpensive.”

      The reasoning is clear. A zero-day vulnerability is particularly valuable to an attacker because it is unknown. If a defender can detect and fix the same bug before an attacker finds it, that bug loses its offensive potential. Historically, the cost asymmetry has favored attackers, as a browser like Firefox comprises millions of lines of code, and a single undetected flaw is sufficient for exploitation. An elite human security researcher may require weeks or months to uncover one such flaw, while a model like Mythos can scan the entire codebase in a fraction of that time. Mozilla's assertion is that this changes the economic landscape permanently. “Software like Firefox is designed in a modular way that allows humans to rationalize its correctness,” the blog post asserted. “It is complex, but not needlessly so. The defects are finite, and we are stepping into an era where we can finally locate them all.”

      This claim is bold and intentional. Mozilla is positing that the era of zero-day vulnerabilities in well-structured software has a deadline—not because attackers will cease their efforts,