Mozilla says 271 vulnerabilities found by Mythos have "almost no false positives"
Mirrored from Ars Technica — AI for archival readability. Support the source by reading on the original site.
The disbelief was palpable when Mozilla’s CTO last month declared that AI-assisted vulnerability detection meant “zero-days are numbered” and “defenders finally have a chance to win, decisively.” After all, it looked like part of an all-too-familiar pattern: Cherry-pick a handful of impressive AI-achieved results, leave out any of the fine print that might paint a more nuanced picture, and let the hype train roll on.
Mindful of the skepticism, Mozilla on Thursday provided a behind-the-scenes look into its use of Anthropic Mythos—an AI model for identifying software vulnerabilities—to ferret out 271 Firefox security flaws over two months. In a post, Mozilla engineers said the finally ready-for-prime-time breakthrough they achieved was primarily the result of two things: (1) improvement in the models themselves and (2) Mozilla’s development of a custom “harness” that supported Mythos as it analyzed Firefox source code.
"Almost no false positives"
The engineers said their earlier brushes with AI-assisted vulnerability detection were fraught with “unwanted slop.” Typically, someone would prompt a model to analyze a block of code. The model would then produce plausible-reading bug reports, and often at unprecedented scales. Invariably, however, when human developers further investigated, they’d find a large percentage of the details had been hallucinated. The humans would then need to invest significant work handling the vulnerability reports the old-fashioned way.
More from Ars Technica — AI
-
Trump gets OpenAI to offer US 5% stake, far lower than Sanders’ target
Jul 2
-
Musk’s X poses “serious risk to Americans’ privacy,” advocates warn FTC
Jul 2
-
Google’s AI buildout drove 37% increase in electricity use in 2025
Jul 2
-
After spooking Trump into safety testing, Anthropic AI models get global release
Jul 1
Discussion (0)
Sign in to join the discussion. Free account, 30 seconds — email code or GitHub.
Sign in →No comments yet. Sign in and be the first to say something.