Claude Mythos Discovers 271 Zero-Day Vulnerabilities in Firefox

271 Zero-Day Vulnerabilities: A Milestone Moment for AI Security Auditing

A number that has sent shockwaves through the entire cybersecurity industry — 271. That is the number of zero-day security vulnerabilities discovered by Anthropic's latest frontier model, Claude Mythos Preview, while scanning the Mozilla Firefox browser source code. This is not merely a "large" number; in the words of industry insiders, it is an "extraordinary" one.

Since February of this year, the Firefox team has been working around the clock to leverage frontier AI models to find and fix security vulnerabilities lurking in the browser. Previously, Mozilla had partnered with Anthropic to conduct security scans of Firefox using Claude Opus 4.6, which identified and fixed 22 security-sensitive vulnerabilities in Firefox version 148. As part of the deepening collaboration between the two organizations, Mozilla gained early access to Claude Mythos Preview, ultimately achieving these astonishing results.

From 22 to 271: What's Behind the Capability Leap

Compared to the 22 vulnerabilities found by Opus 4.6, Claude Mythos Preview discovered 271 zero-day vulnerabilities in a single sweep — a more than 12-fold increase. A leap of this magnitude signals that AI models are experiencing exponential growth in code comprehension, vulnerability pattern recognition, and security reasoning capabilities.

So-called "zero-day" vulnerabilities refer to security flaws that software vendors have not yet discovered or patched, making them prime targets for hackers. Traditional manual code auditing is constrained by engineers' time and energy. Even open-source projects like Firefox, which boast large security teams, struggle to exhaustively identify every potential risk across millions of lines of code. The introduction of AI models is fundamentally changing this landscape.

AI Reshapes the Software Security Auditing Landscape

The trend revealed by Claude Mythos's performance extends far beyond a single number.

First, frontier models are becoming core components of security infrastructure. From assisted programming to automated vulnerability discovery, the role of large language models is evolving from "development assistant" to "security guardian." The collaboration model between Mozilla and Anthropic could become the standard paradigm for future partnerships between software vendors and AI companies.

Second, open-source projects stand to benefit first. As one of the world's most important open-source browsers, Firefox's codebase is entirely public, making it naturally suited for large-scale AI scanning. This means the chronic shortage of security auditing resources facing the open-source community could be fundamentally alleviated through AI technology.

Third, the offensive-defensive dynamic is entering a new phase. If defenders can use AI to discover 271 zero-day vulnerabilities, attackers could equally leverage similar technology to uncover exploits. This AI-driven security arms race will compel the entire industry to accelerate its adoption of AI security tools.

Concerns Worth Noting

However, these results also raise some thought-provoking questions. The existence of 271 zero-day vulnerabilities means Firefox previously harbored a large number of undiscovered security risks, potentially exposing users to threats over extended periods. This is not a problem unique to Firefox but a shared challenge for all large-scale software projects. While AI has accelerated vulnerability discovery, it has also indirectly exposed the limitations of traditional security auditing systems.

Furthermore, Claude Mythos is still in its Preview stage, and the vulnerabilities it has identified still require manual verification and severity classification. How to efficiently digest and remediate such a large volume of vulnerabilities is also a test of the Firefox team's engineering capabilities.

Outlook: AI Security Auditing Will Become an Industry Standard

From Opus 4.6 to Claude Mythos, Anthropic's pace of capability evolution in the security domain is remarkable. As model capabilities continue to improve, AI-powered security auditing is poised to extend its coverage to more mainstream software and critical infrastructure. It is foreseeable that in the near future, "AI-driven security scanning" will no longer be a cutting-edge experiment but a standard process for every responsible software team.

For the hundreds of millions of Firefox users worldwide, this is undoubtedly good news — the browser they use every day is becoming more secure than ever before.