Mozilla says 271 vulnerabilities found by Mythos have "almost no false positives"

<p>The disbelief was palpable when Mozilla’s CTO last month declared that AI-assisted vulnerability detection meant “<a href="https://arstechnica.com/ai/2026/04/mozilla-anthropics-mythos-found-271-zero-day-vulnerabilities-in-firefox-150/">zero-days are numbered</a>” and “defenders finally have a chance to win, decisively.” After all, it looked like part of an all-too-familiar pattern: Cherry-pick a handful of impressive AI-achieved results, leave out any of the fine print that might paint a more nuanced picture, and let the hype train roll on.</p> <p>Mindful of the skepticism, Mozilla on Thursday provided a behind-the-scenes look into its use of Anthropic Mythos—an AI model for identifying software vulnerabilities—to ferret out 271 Firefox security flaws over two months. In a <a href="https://hacks.mozilla.org/2026/05/behind-the-scenes-hardening-firefox/">post</a>, Mozilla engineers said the finally ready-for-prime-time breakthrough they achieved was primarily the result of two things: (1) improvement in the models themselves and (2) Mozilla’s development of a custom “<a href="https://arxiv.org/abs/2603.28052">harness</a>” that supported Mythos as it analyzed Firefox source code.</p> <h2>"Almost no false positives"</h2> <p>The engineers said their earlier brushes with AI-assisted vulnerability detection were fraught with “unwanted slop.” Typically, someone would prompt a model to analyze a block of code. The model would then produce plausible-reading bug reports, and often at unprecedented scales. Invariably, however, when human developers further investigated, they’d find a large percentage of the details had been hallucinated. The humans would then need to invest significant work handling the vulnerability reports the old-fashioned way.</p><p><a href="https://arstechnica.com/information-technology/2026/05/mozilla-says-271-vulnerabilities-found-by-mythos-have-almost-no-false-positives/">Read full article</a></p> <p><a href="https://arstechnica.com/information-technology/2026/05/mozilla-says-271-vulnerabilities-found-by-mythos-have-almost-no-false-positives/#comments">Comments</a></p> Reference : https://ift.tt/zgUHtXN