Anthropic and Mozilla Detail 22 Firefox Vulnerabilities Found by Claude
Original: We partnered with Mozilla to test Claude's ability to find security vulnerabilities in Firefox. View original →
On March 6, 2026, Anthropic said on X that Claude Opus 4.6 found 22 Firefox vulnerabilities in a two-week collaboration with Mozilla. Anthropic said Mozilla classified 14 of those findings as high severity, and the company's technical write-up describes the project as an example of how AI-assisted security research can work alongside established maintainers.
Anthropic said those 14 high-severity issues accounted for almost a fifth of all high-severity Firefox vulnerabilities remediated in 2025. The company also said Mozilla shipped fixes to hundreds of millions of users in Firefox 148.0 and treated the joint work as a model for how AI-enabled security researchers and maintainers can collaborate when the volume of findings rises quickly.
To reach that result, Anthropic first tested whether Claude could reproduce historical Firefox CVEs and then shifted to novel vulnerabilities in the current codebase. Anthropic said the model identified a Use After Free issue in the JavaScript engine after about 20 minutes of exploration. Over the broader effort, the team said it scanned nearly 6,000 C++ files and submitted 112 unique reports, with Mozilla helping calibrate which findings were worth filing and how the results should be triaged.
The write-up emphasizes process as much as raw output. Anthropic says AI-assisted bug hunting can generate many crashing inputs, but practical security work still depends on transparent validation, maintainer feedback, and coordinated remediation. Mozilla has also started experimenting with Claude internally for security use cases. Anthropic's full account is available in its Mozilla and Firefox security post.
Related Articles
Anthropic said on March 5, 2026 that it had received a supply-chain risk designation letter from the Department of War. The company says the scope is narrow, plans to challenge the action in court, and will continue transition support for national-security users.
The Anthropic-Mozilla collaboration that spread on Hacker News disclosed that Claude Opus 4.6 found 22 Firefox vulnerabilities, 14 of them high-severity. The durable lesson is not autonomous magic but faster defender workflows built around validation, triage, and reproducible evidence.
Anthropic published a March 6, 2026 case study showing how Claude Opus 4.6 authored a working test exploit for Firefox vulnerability CVE-2026-2796. The company presents the result as an early warning about advancing model cyber capabilities, not as proof of reliable real-world offensive automation.
Comments (0)
No comments yet. Be the first to comment!