A bug that had lived undetected for twenty years
In April 2026, Mozilla closed more Firefox security vulnerabilities in a single month than it had in the previous two years combined — not through an expansion of human effort, but through Anthropic's AI system Mythos, which identified 271 bugs with near-zero false positives, including one that had hidden in the codebase for two decades. The event marks a quiet but consequential threshold: the moment when artificial intelligence demonstrated it could see into software with a depth and breadth that human attention alone cannot match. What unfolds next — for Mozilla, for the industry, and for the long-standing relationship between human expertise and machine capability — is a question the entire software world is now beginning to ask.
- A 20-year-old Firefox bug, invisible to every human reviewer who passed over it, was surfaced by an AI in what amounts to a single sweep — exposing just how much has been hiding in plain sight.
- Mozilla's April 2026 patch count exceeded the previous 24 months combined, revealing that the bottleneck in software security was never the ability to fix vulnerabilities, but the ability to find them.
- Mythos reported almost no false positives across 271 findings, sidestepping the exhausting noise that typically makes AI-assisted security tools more burden than breakthrough.
- Mozilla now faces a compressed but finite backlog — substantial patching work, but work with a visible horizon, and a new tool that could permanently alter how the organization approaches security.
- The industry is watching: if one AI system can do this to one major browser, the pressure on every software company to deploy similar tools — or fall behind — is already building.
In April 2026, Mozilla closed more Firefox vulnerabilities than it had in the previous two years combined. The force behind that acceleration was not a new security team or a surge in resources. It was Mythos, an AI system built by Anthropic to find bugs in code.
The numbers were striking on their own — 271 vulnerabilities identified — but what distinguished the results was their precision. Mozilla reported almost no false positives, a rarity in security research, where noise and misdirection typically drain the teams doing the work. Mythos was not raising alarms indiscriminately. It was making considered judgments about what actually posed a risk.
Among the findings was a bug that had gone undetected for twenty years. That a widely-used browser could harbor such an oversight for two decades, only to have it surfaced by an AI reading code patterns, suggested something fundamental had changed about what security analysis could look like.
The speed of April's closures pointed to a bottleneck that had finally been removed. For years, Mozilla's teams were likely constrained not by their capacity to fix vulnerabilities, but by their ability to locate them. Manual review and conventional testing can only go where human attention is directed. Mythos appeared to look everywhere at once, and with a different kind of comprehension — tracing data flows, identifying where logic breaks down, rather than simply matching known vulnerability signatures.
For Mozilla, the immediate implications are practical: a backlog compressed from years into weeks, and a tool now embedded in how the organization thinks about security. But the larger question belongs to the whole industry. If Mythos can do this for Firefox, what happens when similar systems are turned loose on every major application, operating system, and piece of critical infrastructure? The era of human-only vulnerability discovery may be drawing to a close — and what comes next is still being written.
Mozilla has quietly undergone a security reckoning. In April 2026, the organization closed more Firefox vulnerabilities than it had in the previous twenty-four months combined. The catalyst was not a sudden surge in internal resources or a new team of security researchers. It was Anthropic's Mythos, an AI system designed to hunt for bugs in code.
The numbers tell the story plainly. Mythos identified 271 vulnerabilities in Firefox. What made this discovery remarkable was not just the volume but the precision: Mozilla reported that the findings carried almost no false positives. In the world of security research, false positives are the noise that exhausts teams and wastes time. They are the alerts that cry wolf. Mythos cried wolf almost never.
Among the vulnerabilities Mythos surfaced was a bug that had lived undetected in Firefox's codebase for two decades. Twenty years. The kind of oversight that should feel impossible in a widely-used browser, yet there it was—a security flaw hiding in plain sight until an AI system trained to read code patterns found it. That single discovery alone suggested something had shifted in how software security could be approached.
The acceleration was not gradual. April's closure rate—more bugs fixed in one month than in the previous two years—points to a bottleneck that had finally been removed. For years, Mozilla's security teams had likely been constrained not by their ability to fix vulnerabilities but by their ability to find them. Manual code review, fuzzing, and conventional testing methods had their limits. They could only look where human attention was directed. Mythos looked everywhere, and it looked with a different kind of vision.
What Anthropic built with Mythos appears to be a tool that understands code semantically rather than just syntactically. It does not simply pattern-match known vulnerability signatures. It reads the logic of a program, traces the flow of data, and identifies places where assumptions break down or protections fail. This is why the false positive rate stayed so low—the system was not throwing spaghetti at the wall. It was making informed judgments about what constituted an actual security risk.
For Mozilla, the implications are immediate and practical. A backlog of potential vulnerabilities that might have taken years to surface through conventional means has been compressed into weeks. The organization now faces the work of patching, testing, and releasing fixes—substantial work, but work with a clear endpoint. More importantly, the organization has a new tool in its arsenal, one that could fundamentally reshape how it approaches security going forward.
But the story extends beyond Firefox. If Mythos can do this for one browser, the question becomes unavoidable: what happens when other software companies deploy similar systems? What happens when every major application, operating system, and infrastructure tool gets the same treatment? The vulnerability landscape could shift dramatically. Bugs that have hidden for years might be flushed out in months. The security posture of the entire software ecosystem could tighten in ways that were previously impossible.
There is also a question of dependency. Mozilla now knows what Mythos can do. The organization will likely continue to use it, perhaps refine how it uses it, perhaps integrate it deeper into the development cycle. Other companies will watch, learn, and adopt similar approaches. The era of human-only vulnerability discovery may be ending. What replaces it—a partnership between human expertise and AI capability, or something else entirely—remains to be written.
Notable Quotes
Mozilla reported that Mythos findings carried almost no false positives— Mozilla
The Hearth Conversation Another angle on the story
Why does finding 271 bugs matter if they were always there?
Because they were invisible. A vulnerability that nobody knows about is a vulnerability that nobody can fix. Mythos made the invisible visible.
But couldn't Mozilla have found these bugs themselves, given enough time and people?
Theoretically, yes. But time and people are finite. Mythos compressed what might have taken years into weeks. That's not just faster—it's a different category of capability.
The false positive rate seems almost too good. How does an AI avoid crying wolf?
It doesn't pattern-match like a simple scanner. It understands code logic. It traces how data moves through a program and finds places where protections fail. It's reading for meaning, not just signatures.
A twenty-year-old bug is embarrassing. Does this make Mozilla look bad?
It makes every software company look vulnerable. That bug wasn't a failure of Mozilla's competence—it was a limitation of the tools available. Mythos revealed what was always true: we've been flying blind.
What happens next? Does every company now need an AI security tool?
Not need, not yet. But they'll watch what Mozilla does. If Mythos keeps working this well, adoption will follow. The question becomes: who gets to use it first, and what advantage does that create?
Is there a downside to finding all these bugs at once?
The work of fixing them is real and expensive. But a known vulnerability you can patch is better than an unknown one that someone else finds first.