Anthropic and Mozilla say Claude Opus 4.6 found 22 Firefox vulnerabilities in two weeks
Original: Partnering with Mozilla to improve Firefox’s security View original →
Anthropic said in a March 6, 2026 announcement that a joint security effort with Mozilla led Claude Opus 4.6 to discover 22 Firefox vulnerabilities over the course of two weeks. Mozilla classified 14 of those findings as high-severity vulnerabilities. Anthropic said that figure represents almost a fifth of all high-severity Firefox vulnerabilities remediated in 2025.
According to Anthropic, the output was large enough that Claude Opus 4.6 found more Firefox vulnerabilities in February 2026 than were reported from all sources in any single month of 2025. Mozilla triaged the reports and shipped fixes to hundreds of millions of users in Firefox 148.0. That detail matters because it moves the story beyond lab demos: the results were validated, integrated into release engineering, and pushed to a live browser used at global scale.
The collaboration started as an evaluation exercise. Anthropic said it first built a dataset of historical Firefox CVEs to see whether Claude could reproduce known issues in a codebase that is both large and heavily audited. After that, the teams moved to the harder task of finding previously unknown bugs in the current Firefox codebase. Anthropic said the JavaScript engine was used as an initial test target because it processes untrusted external code and represents a large attack surface.
Anthropic said Claude reported a Use After Free vulnerability after roughly 20 minutes of exploration. Researchers then validated the issue in an independent virtual machine, confirmed it internally, and filed a Bugzilla report that included a proposed patch generated by Claude and reviewed by the human team. While Anthropic emphasized the speed gains, the post also described a workflow in which model output is still checked, reproduced, and triaged by security researchers before release fixes are made.
The larger significance is that AI-assisted vulnerability discovery is starting to look operational rather than experimental. Firefox is not a toy benchmark; it is a widely deployed browser with a complex codebase and a large real-world threat surface. Anthropic and Mozilla presented the project as a model for how AI-enabled security researchers and software maintainers may work together going forward, especially as stronger models begin to surface severe bugs faster than traditional review cycles can handle on their own.
Related Articles
Anthropic said Claude Opus 4.6 found 22 Firefox vulnerabilities during a two-week collaboration with Mozilla. Mozilla classified 14 as high severity and shipped fixes in Firefox 148.0.
Anthropic says Claude Opus 4.6 found 22 Firefox vulnerabilities in a two-week collaboration with Mozilla, including 14 high-severity bugs. The company argues current frontier models are already powerful defensive security researchers and that developers should use the window before offensive capability catches up.
Mozilla said on March 6, 2026 that Anthropic’s AI-assisted red team surfaced more than a dozen verifiable Firefox security bugs. Mozilla says engineers validated and fixed most of the issues before Firefox 148 shipped.
Comments (0)
No comments yet. Be the first to comment!