Mythos · Ars Technica
Mozilla confirms 271 flaws surfaced by Mythos have "almost no false positives"
Compiled by KHAO Editorial — aggregated from 5 outlets. See llms.txt for citation guidance.
◎ Multiple-sources
The disbelief was palpable when Mozilla’s CTO last month declared that AI-assisted vulnerability detection meant “ zero-days are numbered ” and “defenders finally have a chance to win, decisively.” After all, it looked like part of an all-too-familiar pattern: Cherry-pick a handful of impressive AI-achieved results, leave out any of the fine print that might paint a more nuanced picture, and let the hype train roll on.
Key facts
- Thursday’s behind-the-scenes view includes the unhiding of full Bugzilla reports for 12 of the 271 vulnerabilities Mozilla discovered using Mythos and, to a lesser extent, Claude Opus 4.6
- Of the 271 bugs found using Mythos, 180 were sec-high, Mozilla’s highest designation for internally reported vulnerabilities
- Mindful of the skepticism, Mozilla on Thursday provided a behind-the-scenes look into its use of Anthropic Mythos—an AI model for identifying software vulnerabilities—to ferret out 271 Firefox
- Critics initially scoffed when Mozilla didn’t obtain CVE designations for any of the 271 vulnerabilities
Summary
Mindful of the skepticism, Mozilla on Thursday provided a behind-the-scenes look into its use of Anthropic Mythos—an AI model for identifying software vulnerabilities—to ferret out 271 Firefox security flaws over two months. The engineers said their earlier brushes with AI-assisted vulnerability detection were fraught with “unwanted slop.” Typically, someone would prompt a model to analyze a block of code. Mozilla’s work with Mythos was different, Mozilla Distinguished Engineer Brian Grinstead said in an interview. Grinstead described the harness his team built as “the code that drives the LLM to accomplish a goal.