Mozilla Patched 423 Security Vulnerabilities in Firefox in April

Mozilla’s partnership with Anthropic continues to pay off with it fixing an incredible 423 security vulnerabilities in April alone. That’s up from 61 in February and 76 in March, both thanks to Anthropic, but an incredible leap forward over the year-ago quarter, when it patched 31 vulnerabilities. It’s also an improvement from the 270 fixes it made in Firefox 150, which arrived in late April.

“Just a few months ago, AI-generated security bug reports to open source projects were mostly known for being unwanted slop,” Mozilla’s Brian Grinstead, Christian Holler, and Frederik Braun write. “It is difficult to overstate how much this dynamic changed for us over a few short months. This was due to a combination of two main factors. First, the models got a lot more capable. Second, we dramatically improved our techniques for harnessing these models [by] steering them, scaling them, and stacking them to generate large amounts of signal and filter out the noise.”

Mozilla says that Anthropic’s help comes in the form of its secretive Claude Mythos Preview model, which has proven uniquely skilled at finding potential bugs, creating proof-of-concept test cases to demonstrate them, and articulating their pathology and impact. The scale at which Mythos is finding vulnerabilities and other bugs in Firefox is escalating, too: Since the release of Firefox 150, it shipped more fixes in versions 150.0.1 and 150.0.2, with the total for April alone jumping from 270 to 423.

“Staying on top of this unprecedented volume has led to a lot of work and long days over the last few months, and we’re extremely proud of how the team has stepped up to meet this challenge,” Mozilla continues. “Over 100 people contributed code to this effort to ship the most secure Firefox yet. In addition to writing and reviewing patches, others have been building and scaling this pipeline, triaging, testing the fixes, and managing the release process for each bug.”

Mozilla continues to find bugs via other means, of course, and it still relies in part on external bug reports, which have likewise escalated since it began promoting its work with Anthropic. And more fixes are on the way: Mozilla says that it hasn’t “bottomed on all the latent bugs in Firefox,” though it’s also “quite pleased with the trajectory.” Going forward, it will use AI models to scan patches as they land in the source code base so that it can find problems before vulnerabilities ship to the public.

Incredible. And a, ahem, model for others to follow.