How Anthropic’s Mythos has rewritten Firefox’s approach to cybersecurity
Mythos uncovered sandbox vulnerabilities that eluded human researchers and bounties for years.
When Anthropic previewed its Mythos model in April, it warned of thousands of software vulnerabilities. Now, Mozilla's Firefox team confirms the impact: Mythos unearthed high-severity bugs that had lain dormant for over a decade, including a 15-year-old HTML parsing error and rare sandbox vulnerabilities. Mozilla shipped 423 bug fixes in April 2026, compared to just 31 a year earlier—a 13x increase. The agentic system's ability to self-assess and filter false positives marks a turning point for AI in security, with researchers noting dramatic improvements in both model capability and techniques.
Despite this power, Mozilla does not use AI to fix bugs; each patch is hand-written by an engineer and reviewed by another. Sandbox vulnerabilities are especially hard to find, requiring the model to craft a compromised patch and then attack the secure code. The top $20,000 bounty rewards pale in comparison to the volume Mythos discovers. While Anthropic follows responsible disclosure, the broader cybersecurity balance may shift if adversaries adopt similar AI techniques.
- Mythos found high-severity bugs in Firefox including an HTML parsing error from 15 years ago and multiple sandbox vulnerabilities worth $20,000 in bounties.
- Firefox shipped 423 bug fixes in April 2026 compared to 31 a year earlier, a 13x improvement driven by AI-assisted discovery.
- The agentic system filters false positives autonomously, but all patches are still written and reviewed by human engineers.
Why It Matters
AI-driven vulnerability discovery shifts cybersecurity from reactive patching to proactive threat hunting, raising the bar for defense and offense.