AI found 271 bugs in Firefox. Mozilla is calling it a revolution. Anthropic is calling it the future of security research. The headlines are breathless.
We dug into the actual CVEs. Here's what we found.
When Anthropic announced Mythos — their AI-powered vulnerability hunting model — the security world paid attention. The number that went viral: $20,000 worth of bugs found in a single run. Mozilla quickly followed up, claiming Mythos identified 271 vulnerabilities in Firefox 150.
That's the kind of number that makes CISOs cancel their pentesting contracts.
But at Gerus-lab, we've been building security tooling and AI-assisted code analysis for several years. We know how these numbers get made. So we did what any skeptical engineer should do: we went to the actual CVE list and read it.
What we found is more nuanced — and more interesting — than the press release.
What Mythos Actually Did
Let's be precise about what happened. Mozilla ran Anthropic's Mythos across the Firefox 150 codebase and reported 271 "AI-found" vulnerabilities. That sounds monumental.
But the full CVE audit tells a different story:
- CVE-2026-6746: Use-after-free in DOM (1 bug, directly attributable to Anthropic's tooling)
- CVE-2026-6784: Memory safety bugs in Firefox 150 + Thunderbird 150 — 55 bugs in a single omnibus CVE
- CVE-2026-6785: Memory safety bugs across Firefox 150, ESR 115.35, ESR 140.10, Thunderbird — 154 bugs
- CVE-2026-6786: Memory safety bugs in Firefox ESR 140.10 + 150 — 107 bugs
Total across those four CVEs: 317 bugs. But this includes Thunderbird and ESR releases — not just Firefox 150.
So Mozilla's "271 vulnerabilities" includes massive omnibus patches that group together dozens of individual fixes, some of which are routine memory safety improvements rather than exploitable zero-days.
This isn't a gotcha. It's important context.
The Signal vs. The Noise
Here's what we genuinely believe after this analysis:
AI-assisted fuzzing and static analysis works. Tools like Mythos are doing something real. Finding memory safety bugs at scale — even if many are low-severity — reduces the attack surface. That's unambiguously good.
But "AI found 271 bugs" is not the same as "AI is replacing security researchers."
The three directly attributable Anthropic CVEs (including the use-after-free in DOM) represent the genuinely impressive part. A UAF in the DOM is serious — it can be a browser escape vector. If Mythos found that, that's a real win.
The 268 other "bugs" are largely the result of AI-assisted fuzzing generating memory safety patches that got bundled into omnibus CVEs. These are valuable but categorically different from "discovered a zero-day."
How We Think About AI Security at Gerus-lab
We've been integrating AI into security workflows for clients for a while now. Our experience with AI-assisted code review at gerus-lab.com tracks with what Mozilla is reporting: AI is exceptional at finding patterns at scale, but it still struggles with understanding exploitability.
The workflow that actually works:
1. AI-assisted fuzzing (Mythos-style) → generates candidate bugs
2. Human researcher → triages by exploitability
3. Automated PoC generation → validates actual risk
4. Patch + verify
Step 2 is still deeply human. We built a security review pipeline for a DeFi client where GPT-4o identified 47 potential issues in Solidity contracts — but only 6 were real vulnerabilities after human triage. That's roughly the same ratio you'd expect from static analysis tools that have existed for decades.
The difference with modern AI models: volume and speed, not fundamentally different insight.
What This Means If You're Building Today
If you're a founder building a product in 2026, here's our practical take:
Don't skip AI security tooling. Tools like Mythos, Semgrep's AI rules, and custom LLM-assisted code review catch real bugs. The ROI is there.
Don't believe the zero-day hype. AI is not autonomously hunting sophisticated exploits. It's automating work that was previously too tedious for human researchers. That's valuable — just different.
Memory safety is the real story. The Firefox audit is mostly a memory safety story. If you're writing Rust, Go, or modern C++ with sanitizers, you're already ahead of the game. If you're still writing raw C without fuzzing infrastructure, that's the real risk.
Understand your threat model. 271 bugs in a Firefox audit sounds terrifying. But Mozilla ships to hundreds of millions of users — their attack surface justifies this level of scrutiny. Your SaaS product has a different threat model.
Our Take on Where Mythos Fits
At Gerus-lab, we've integrated multiple AI security tools into client workflows over the past two years. Here's our honest scorecard:
| Tool Category | AI Advantage | Human Still Needed |
|---|---|---|
| Memory safety bugs | High — pattern recognition at scale | Exploitability triage |
| Business logic flaws | Low — context-dependent | Fully human |
| Crypto implementation | Medium — known pattern matching | Novel attacks |
| Auth/authz bugs | Medium — flag suspicious patterns | Intent understanding |
Mythos-style tools will get dramatically better at the "Medium" categories over the next 2-3 years. Business logic bugs will remain human territory for longer.
The Bottom Line
The headlines said: "AI finds $20,000 worth of bugs in Firefox."
The reality: "AI-assisted tooling accelerated memory safety improvements in a large open-source codebase, with a handful of directly attributable findings including at least one serious UAF."
Both are true. One is a headline. One is useful.
We're not dismissing Mythos — we're genuinely excited about where this category is going. But the security community deserves accurate framing. AI is a force multiplier for security research, not a replacement for it.
If you're building something that needs serious security review — whether it's a DeFi protocol, a SaaS platform, or infrastructure tooling — we'd love to talk. We combine AI-assisted analysis with human expertise to find the bugs that matter.
→ Check out what we build at gerus-lab.com
→ Our Web3 security work: gerus-lab.com/cases
→ Have a security question? Reach out: gerus-lab.com/contact
At Gerus-lab, we build Web3, AI, and SaaS products for clients who care about doing it right. From TON and Solana protocols to enterprise automation — gerus-lab.com
Top comments (0)