AI Found 22 Firefox Vulnerabilities in Just Two Weeks
Anthropic's Claude discovered 22 security flaws in Firefox, revealing both the promise and limitations of AI-powered security tools
22 vulnerabilities in two weeks. That's what AI found in one of the world's most secure browsers
Anthropic'sClaude Opus 4.6 just completed a security partnership with Mozilla that uncovered 22 separate vulnerabilities in Firefox—14 of them classified as high-severity. Most bugs were patched in Firefox 148 (released this February), though a few fixes are still pending the next release.
What makes this remarkable isn't just the number—it's the target. Anthropic's team deliberately chose Firefox because "it's both a complex codebase and one of the most well-tested and secure open-source projects in the world." They wanted to test AI against a genuinely challenging opponent.
Great at finding flaws, terrible at exploiting them
Here's where it gets interesting: Claude excelled at vulnerability discovery but struggled mightily with exploitation. The team burned through $4,000 in API credits trying to create proof-of-concept exploits, succeeding in only two cases.
This limitation reveals something crucial about AI security tools. They're exceptional "problem spotters" but poor "problem exploiters." For cybersecurity professionals, this might actually be reassuring news—at least for now.
The double-edged sword of AI-powered security
For open-source maintainers, this represents both opportunity and challenge. AI can dramatically accelerate security audits, potentially catching vulnerabilities that human reviewers miss. But as TechCrunch noted, these tools also risk flooding projects with "bad merge requests alongside the useful ones."
The implications extend beyond individual projects. If AI can audit Firefox's battle-tested codebase this effectively, what about smaller, less scrutinized open-source projects that power critical infrastructure? The security landscape could see a fundamental shift in how vulnerabilities are discovered and disclosed.
Authors
Related Articles
A small but growing group of developers has gone all-in on AI coding agents like Claude Code and OpenClaw. History suggests the rest of us won't be far behind.
OpenAI's new Daybreak initiative uses the Codex AI agent to find and patch security vulnerabilities before attackers do—putting it in direct competition with Anthropic's secretive Claude Mythos.
Anthropic is closing what may be its final private fundraise at a $900B valuation, surpassing OpenAI. Investors have 48 hours to commit to the ~$50B round.
Anthropic's tightly restricted Mythos AI—designed to find security flaws—was accessed by Discord sleuths without a single line of exploit code. Meanwhile, North Korean hackers used AI to steal $12M in three months. The security paradox of 2026.
A small but growing group of developers has gone all-in on AI coding agents like Claude Code and OpenClaw. History suggests the rest of us won't be far behind.
OpenAI's new Daybreak initiative uses the Codex AI agent to find and patch security vulnerabilities before attackers do—putting it in direct competition with Anthropic's secretive Claude Mythos.
Anthropic is closing what may be its final private fundraise at a $900B valuation, surpassing OpenAI. Investors have 48 hours to commit to the ~$50B round.
Anthropic's tightly restricted Mythos AI—designed to find security flaws—was accessed by Discord sleuths without a single line of exploit code. Meanwhile, North Korean hackers used AI to steal $12M in three months. The security paradox of 2026.
Thoughts
Share your thoughts on this article
Sign in to join the conversation