Anthropic successfully identified 22 distinct security vulnerabilities within the Mozilla Firefox codebase over a two-week testing period, with 14 of these flaws officially categorized as “high-severity.” Most of these critical bugs have already been patched in Firefox 148, released this past February, while the remaining fixes are slated for upcoming updates.
AI-Driven Security Auditing
The security partnership leveraged the capabilities of Claude Opus 4.6 to scan the browser’s architecture. The audit began within the JavaScript engine before systematically expanding to encompass other critical segments of the codebase. Anthropic researchers targeted Firefox specifically because it represents both a highly complex codebase and one of the most rigorously tested and secure open-source projects currently in existence.
The Limits of AI Exploitation
While the AI proved exceptionally proficient at surfacing vulnerabilities, it struggled significantly when tasked with weaponizing them. Anthropic invested $4,000 in API credits attempting to develop proof-of-concept exploits for the discovered bugs; however, the model only achieved success in two instances.
Implications for Open Source
This initiative highlights the transformative potential of AI tools in bolstering the security of open-source software. Despite the utility of these models in automated bug hunting, the experiment serves as a practical reminder of the mixed outcomes AI brings to development workflows, including the potential for high volumes of inaccurate or unusable code submissions alongside genuine security improvements.
For more details on the collaborative effort, you can view the full report on the official Anthropic partnership page.
