AI models are actively hunting down complex software bugs. Recently, Anthropic partnered with Mozilla to test whether AI could find novel security flaws in complex, open-source software. Consequently, Claude Opus 4.6 discovered 22 separate vulnerabilities in Firefox over just two weeks last month in February 2026. Mozilla classified 14 of these as high-severity. Strikingly, this number represents nearly 20% of all high-severity Firefox bugs fixed in the entirety of 2025.
Claude Opus 4.6: Fast Discovery in the Codebase
The Anthropic team initially targeted Firefox’s JavaScript engine. It provides an isolated environment with a massive attack surface. Within 20 minutes, Claude found a “Use After Free” memory vulnerability. Researchers validated this bug and submitted a Claude-written patch.
Afterward, Claude rapidly generated 50 more unique crashing inputs. Ultimately, the AI scanned nearly 6,000 C++ files. The team then submitted 112 unique bug reports to Mozilla’s issue tracker, Bugzilla.
Exploitation Remains a Challenge
Anthropic also tested Claude’s ability to weaponize these bugs. They wanted to see if the AI could write malicious tools to exploit the target system. The team spent $4,000 in API credits across several hundred attempts.
However, Opus 4.6 only created two crude exploits. Furthermore, these exploits only worked because researchers intentionally disabled modern browser security features, like the sandbox. Firefox’s standard “defense in depth” would have blocked the attacks. Therefore, Claude is currently much better, and cheaper, at identifying bugs than exploiting them.
Firefox 148 Steps Up
To handle the flood of AI-generated reports, Anthropic recommends developers use “task verifiers”. These tools give the AI real-time feedback to confirm it actually removed a vulnerability.
Fortunately, Mozilla fixed most of these issues in the February 148.0 Firefox Release. Furthermore, this update brings several new features to the browser. Firefox 148 adds a new AI Controls section in Settings. It also safely decouples remote browser improvements from telemetry requirements. Additionally, the release provides better screen reader support for PDF math formulas, native translation for Vietnamese and Traditional Chinese, and minor UI bug fixes.
