Mozilla released Firefox 150 on 21 April with fixes for 271 vulnerabilities discovered by Anthropic's Claude Mythos Preview — a cybersecurity-focused model that found more bugs in a single automated pass than human security researchers had identified in the preceding 18 months. Of the 271 issues, 180 were rated sec-high, 80 sec-moderate, and 11 sec-low.
The findings included sandbox escape vulnerabilities — the most prized category in browser security, commanding up to $20,000 per bug under Mozilla's bounty programme. Mythos found more sandbox issues than human researchers ever had. It also uncovered a bug in the legend HTML element that had existed for 15 years, and XSLT-related vulnerabilities that had persisted for 20 years — complex, deeply embedded issues that traditional fuzzing and manual code review had never caught.
The improvement over previous models is dramatic. Claude Opus 4.6, running the same evaluation against the Firefox codebase, found 22 bugs. Mythos found 271 — a 12x increase in a single generation. Bobby Holley, Mozilla's VP of Engineering, stated that 'Mythos Preview is every bit as capable' as elite human security researchers, adding that Mozilla's team had 'many years of experience picking apart the work of the world's best security researchers' and saw no category or complexity of vulnerability that Mythos could not match.
Critically, Holley also noted that 'we haven't seen any bugs that couldn't have been found by an elite human researcher'. The significance is not that AI finds things humans cannot, but that it finds them at a speed and scale that fundamentally changes the economics of security. Mozilla's blog post frames this as a watershed moment: for the first time, AI-assisted vulnerability discovery 'erodes the attacker's long-term advantage by making all discoveries cheap', giving defenders 'a chance to win, decisively'.
For context engineers, the implications are immediate. If a single AI model can find 271 vulnerabilities in one of the most audited open-source codebases in existence, the bar for security in less-scrutinised projects has risen dramatically. AI-assisted security scanning is transitioning from experimental tooling to essential infrastructure — and the gap between codebases that use it and those that do not will widen rapidly.
