FRESH

Hacker News

Mozilla Used Anthropic's Mythos to Find and Fix 271 Bugs in Firefox

40 points by cpeterso

by FireBeyond

0 subcomment

Apropos of anything else, I do like that if one of the big bullet points of Mythos is security, that in their list of "preview users" Anthropic chose orgs like Firefox who might have the largest blast radii, and are the most tempting of targets.

by SpicyLemonZest

0 subcomment

Big news here, I think, is that they agree with Anthropic's prediction that it's a transitory issue, and expect to come out the other end more secure after fixing a finite number of bugs. Not looking forward to my turn at the firehose, but it could have been a lot worse.

by ChrisArchitect

0 subcomment

by ray_v

3 subcomments

As my coworker succinctly put it, "nobody uses Firefox anymore."
I don't know if hundreds of millions of people is exactly, "nobody" but I personally agree that open source software is just going to crush closed source for exactly the reasons we're seeing unfold in front of us; you can audit and correct incorrect behavior for the benefits of all.

by kajman

1 subcomments

So where are they, then? Am I misunderstanding the process and this stuff is kept under wraps even after release?
There's three CVEs in today's security advisory that mention Anthropic.
https://www.mozilla.org/en-US/security/advisories/mfsa2026-3...
There's also no write-up I can see that distinguishes to what extent this is the work of the seven people credited alongside Mythos.

by yborg

1 subcomments

What they did not say is how many of these vulnerabilities were addressed by LLM-created fixes, if any.

by totallyrandom__

0 subcomment

Anthropic said they used 1000 agents worth $20k of token to discover "several dozens" of vulnerabilities in OpenBSD, of which only one was cool enough to mention it and brag about. That's not including the cost of 196 reviewers they also used.
The question is, if Firefox was given $20k worth of credit to find these vulnerabilities, how many vulnerabilities could have been discovered by paying that much money to security researchers who wouldn't have needed additional reviewers?

by lefty2

1 subcomments

I wonder how many false positives there were. Typically this types of static analysis tools come up with a ton of potential bugs, but only a few of them are actual bugs.