- Mozilla’s Firefox 150, released April 22, 2026, includes fixes for 271 vulnerabilities uncovered using early access to Anthropic’s Mythos Preview AI model.
- Firefox CTO Bobby Holley said Mythos Preview covers “the full space of vulnerability-inducing bugs,” including categories previously only detectable through human analysis.
- Mozilla worked directly with Anthropic on a bilateral basis, separate from the company’s broader Project Glasswing industry cybersecurity consortium.
- Mozilla CTO Raffi Krikorian has warned that resource asymmetry will leave smaller open source projects exposed as these capabilities spread.
What Happened
Mozilla announced on April 21, 2026 that Firefox 150 includes fixes for 271 vulnerabilities identified using early access to Anthropic’s Mythos Preview, a new AI model with advanced automated vulnerability detection capabilities. Firefox CTO Bobby Holley said Mozilla obtained access through direct collaboration with Anthropic, outside the company’s larger Project Glasswing industry consortium. The announcement coincides with limited private releases from both Anthropic and OpenAI of AI models the companies describe as a turning point in how defenders — and attackers — find vulnerabilities in software.
Why It Matters
Firefox and comparable organizations have historically relied on a combination of software fuzzing and manual audits by internal and external researchers to surface vulnerabilities — methods equally available to attackers. Holley argues that Mythos Preview disrupts that parity by automating detection of bug categories that were previously only reachable through human analysis. Mozilla CTO Raffi Krikorian, writing in a New York Times Opinion essay published last week, argued the shift will deepen existing structural inequities: “The underlying economics haven’t changed. The most valuable software infrastructure in the world continues to be maintained by people working for free, while the companies building fortunes on top of it never had to pay for its upkeep.”
Technical Details
Holley described Mythos Preview’s impact in terms of coverage across the vulnerability surface: “Our belief is that the tools have changed things dramatically, because now we have automated techniques that can cover, as far as we can tell, the full space of vulnerability-inducing bugs.” Previously, he said, threat actors “willing to spend many millions of dollars” could find classes of vulnerabilities that automated scanning could not — a gap defenders tried to keep as expensive as possible. Mythos Preview, according to Holley, closes that gap, surfacing latent flaws that conventional fuzzing and static analysis had not reached. The 271 vulnerabilities patched in Firefox 150 represent that previously obscured category of bugs.
Who’s Affected
Open source projects face asymmetric exposure. Firefox is open source but benefits from institutional resources; smaller projects maintained by volunteer contributors — or effectively abandoned, what Holley termed “abandonware” — may lack the access and capacity needed to run comparable audits. Holley told Wired he has spoken with engineering leaders at large companies already planning to redirect thousands of engineers to this work over the next six months. “It’s difficult for these maintainers to not only have the wherewithal and the access to be able to use these tools, but also to actually do anything with them,” he said.
What’s Next
Mozilla says it is working formally and informally with open source maintainers across its ecosystem to share knowledge and tooling. Holley described the current period as finite: “I believe that, at least on the Firefox side having had a bit of a head start here, that we’ve rounded the curve.” How broadly that transition extends to smaller projects will depend on whether Anthropic and OpenAI expand access to Mythos Preview and comparable AI vulnerability tools beyond their current limited private releases.
