Mozilla just shipped Firefox 150 with fixes for 271 security vulnerabilities, all found by Anthropic's Claude Mythos Preview. That's not a typo. Two hundred seventy-one bugs in a single release, caught by an AI model. The results, detailed in a blog post by Mozilla's Bobby Holley, follow an earlier collaboration where Anthropic's Opus 4.6 found 22 security-sensitive bugs in Firefox 148. The jump from 22 to 271 is a 12x increase, and it's already raising eyebrows. Hacker News commenters pointed out that the gap seems to contradict claims from some OpenAI staff that Mythos isn't a major capability leap over earlier models. Mozilla used Anthropic's Mythos to identify and fix these vulnerabilities, following a direct collaboration with Anthropic. The find shows AI can now catch bugs that previously required expensive human analysis. But the approach raises questions about access: most open source projects lack the resources and connections that made this possible.

Mozilla's takeaway is blunt: defenders finally have a chance to win decisively. Security has always favored attackers, who only need one opening. Defenders have to find them all. For years, the best browsers could hope for was making exploits expensive enough that only well-funded actors would bother. Holley writes that Mythos Preview is "every bit as capable" as elite human security researchers, and that Mozilla found "no category or complexity of vulnerability that humans can find that this model can't." They also haven't discovered bugs that defy human understanding. The defects are finite, and Mozilla believes we're entering a world where we can finally find them all.

That has real implications for the bug bounty economy. Platforms like HackerOne and Bugcrowd built businesses on the scarcity of skilled human researchers, with top bounty hunters earning hundreds of thousands annually. If AI can match elite researchers at a fraction of the cost, companies will internalize vulnerability discovery rather than paying external bounties. Mid-tier researchers, who make up the bulk of the bug bounty workforce, will feel this first. An AI system can scan an entire codebase in minutes. A human takes days or weeks. The economic pressure is inevitable.

Mozilla cautions that codebases could grow beyond human comprehension as AI writes more code, potentially scaling bug complexity faster than discovery capability. They argue that human-comprehensibility remains essential for critical software like browsers. But the tools exist now, and the advantage is shifting to defenders.