Partnering with Mozilla to improve Firefox’s security
Summary
Anthropic collaborated with Mozilla, demonstrating that Claude Opus 4.6 can independently identify high-severity vulnerabilities in complex software. Over two weeks in February 2026, Claude Opus 4.6 discovered 22 vulnerabilities in Firefox, 14 of which Mozilla classified as high-severity. This represents almost a fifth of all high-severity Firefox vulnerabilities remediated in 2025. The AI model initially reproduced historical CVEs in older Firefox versions before successfully finding novel bugs in the current codebase, including a Use After Free vulnerability in the JavaScript engine. Mozilla subsequently released fixes for most issues in Firefox 148.0. While Claude is proficient at finding and fixing vulnerabilities, its ability to create exploits is significantly less developed, succeeding in only two out of several hundred attempts, at a cost of approximately $4,000 in API credits.
Key takeaway
For security teams and CTOs evaluating AI for cybersecurity, this collaboration highlights AI's immediate value in vulnerability discovery and patching. You should consider integrating LLM-powered tools, like Claude Code Security, into your security workflows to accelerate the identification and remediation of high-severity bugs. Focus on establishing robust task verifiers and clear reporting protocols to maximize AI's effectiveness and maintain trust in AI-generated findings, while acknowledging the current gap in AI's exploitation capabilities.
Key insights
AI models like Claude Opus 4.6 can autonomously find and help fix high-severity software vulnerabilities at accelerated speeds.
Principles
- Task verifiers improve AI agent output quality.
- AI excels at discovery, less so at exploitation.
- Collaboration enhances AI-driven security outcomes.
Method
Claude Opus 4.6 was tasked to find novel vulnerabilities in Firefox's current codebase, starting with the JavaScript engine, and then expanded to other areas, submitting findings with proposed patches.
In practice
- Use LLMs with task verifiers for bug discovery.
- Include test cases and candidate patches in reports.
- Prioritize fixing vulnerabilities quickly.
Topics
- AI-enabled Security
- Vulnerability Discovery
- Large Language Models
- Firefox Security
- Exploit Generation
Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Security Engineer, Security Engineer, AI Researcher
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by Anthropic News.