Anthropic's Claude Opus 4.6 just discovered 22 new security vulnerabilities in Firefox — 14 of them high-severity — in just two weeks of automated scanning.
One use-after-free bug was found in 20 minutes of exploration. These weren't theoretical — they were real bugs patched in Firefox 148.
The Numbers
- 22 new vulnerabilities discovered
- 14 high-severity
- 6,000 C++ files scanned
- 20 minutes to find one critical use-after-free bug
- 2 successful exploits out of hundreds of attempts
The Dual-Use Problem
Here's what makes this both exciting and concerning: the same AI capability that finds bugs defensively can be weaponized offensively.
Right now, AI appears to be a better defender than attacker — Claude could find bugs but only successfully wrote 2 exploits out of several hundred attempts. But that capability gap won't last forever.
What This Means
If you're in security, this changes your threat model. AI-assisted vulnerability discovery at scale means:
- Defenders get superpowers — codebases can be audited at unprecedented speed
- Attackers get the same tools — zero-day discovery becomes faster and cheaper
- Verification becomes critical — we need to verify AI skills, agents, and tools before they touch production systems
This is exactly the problem I'm working on at verified-skill.com — building verification infrastructure for AI agent skills before they can execute on your system.
The AI security arms race isn't coming. It's here.
Top comments (0)