Claude’s Firefox bug haul shows AI’s security power shift

Anthropic’s Claude has just delivered one of the clearest real‑world demos yet of AI as a supercharged bug hunter, helping Mozilla uncover 22 security vulnerabilities in Firefox during a two‑week review, 14 of them rated high‑severity. According to coverage by TechCrunch, most of the flaws have already been fixed in Firefox 148, shipped in February, with the remaining patches slated for the next release.

In a post describing the collaboration, Mozilla says Anthropic’s Frontier Red Team used Claude Opus 4.6 to scan Firefox’s JavaScript engine and other components, ultimately submitting 112 detailed reports that led to 22 CVEs (Common Vulnerabilities and Exposures), including 14 high‑severity issues now recorded in Mozilla’s advisory system. The company notes that Claude surfaced “more than a dozen verifiable security bugs” with reproducible tests and that the work culminated in 14 high‑severity bugs and 22 CVEs tied directly to the AI‑assisted review, demonstrating impact in one of the web’s most heavily scrutinized codebases, as detailed in Mozilla’s own write‑up of the engagement with Anthropic’s red team on its blog.

How Claude hunted bugs in a hardened browser

Anthropic’s team has been testing Claude Opus 4.6 as a security co‑pilot across open‑source projects, and the Firefox engagement was designed as a high‑stress benchmark: a mature, memory‑safe‑hardened browser that already undergoes intensive fuzzing and manual review. Mozilla’s blog explains that the process began with Claude assisting in static review of the JavaScript engine, then expanding to other sensitive subsystems, with human experts validating each finding before it reached Firefox engineers.

Anthropic told Axios that across a broader internal campaign, Claude uncovered more than 500 previously unknown flaws in open‑source projects, with the Firefox work accounting for 112 security‑relevant reports. In the browser’s case, the vulnerabilities ranged from memory‑safety bugs to logic errors that could, in principle, be chained into exploits, but Mozilla security lead Marshall Erwin stressed that “just because you find a single vulnerability, even a high vulnerability, it is not enough to hack Firefox,” pointing to modern mitigations and sandboxing.

Notably, Claude was much better at finding vulnerabilities than at weaponizing them. Anthropic’s team spent around $4,000 in API calls trying to have the model generate working proof‑of‑concept exploits, but succeeded in only two cases, a gap that both TechCrunch and specialist coverage at Cybersecurity News highlight as evidence that high‑end exploit development still demands sophisticated human expertise and resilient targets.

A defensive breakthrough — and a dual‑use warning

For defenders, the message is blunt: large language models can now meaningfully accelerate vulnerability discovery in production‑grade software. Papers like “Synergizing Static Analysis with Large Language Models for Vulnerability Discovery and beyond” have argued that combining LLMs with traditional tools can sharply increase bug‑finding yield; Claude’s Firefox haul offers a concrete, high‑profile validation of that thesis in the wild, moving LLM‑assisted security out of the lab and into mainstream browser engineering.

The workflow Mozilla describes — AI surfaces candidates, humans triage and verify, patches ship quietly before public disclosure — is a template that could spread to other major projects. Anthropic has already productized this pattern with Claude Code Security, which the company says is designed to review large codebases for vulnerabilities as an enterprise feature, according to recent documentation summarized by Wikipedia. If widely adopted, that kind of tooling could compress the time between bug introduction and bug fix, especially for organizations that can’t afford large internal security teams.

The same capabilities, however, are inherently dual‑use. Security researchers have been warning that as LLMs become better at understanding complex code and security invariants, attackers can also use them to scan open‑source projects or proprietary apps for exploitable patterns, lowering the skill and time required to mount serious attacks — concerns echoed in recent surveys of LLM‑powered vulnerability discovery such as LLM4Vuln.

Mozilla and Anthropic tried to get ahead of that risk by keeping details under wraps until patches shipped and by emphasizing that the AI’s exploit‑writing performance remains limited against hardened targets. But as models improve and specialized “vuln‑LLMs” emerge in research — for example, the agent‑based VulnLLM‑R system proposed in late‑2025 work on LLM‑guided security reasoning — the gap between defensive and offensive use may narrow.

The Firefox case may therefore be remembered less as a one‑off AI showcase and more as an inflection point. From now on, any serious security roadmap — whether for browsers, cloud stacks or critical infrastructure — will have to assume that LLMs are in the mix on both sides, racing to map and exploit the same terrain. The winners will likely be the teams that learn to treat models like Claude not as magic, but as powerful, fallible instruments embedded in disciplined disclosure, patching and monitoring pipelines.