Anthropic’s Claude found 22 vulnerabilities in Firefox over two weeks

In a recent security partnership with Mozilla, Anthropic's AI model Claude identified 22 distinct vulnerabilities within the Firefox browser codebase. The findings are significant as they demonstrate a practical application of large language models for securing critical, widely-used open-source software. Of the vulnerabilities discovered, 14 were classified as high-severity, and most have already been patched in the February release of Firefox 148.

The two-week audit utilized Claude Opus 4.6, which first analyzed Firefox's complex JavaScript engine before expanding to other parts of the code. Mozilla's rationale for the project was to test AI against one of the most well-vetted open-source projects available. A notable detail from the effort was Claude's relative performance at different tasks; while it excelled at finding bugs, it was far less capable of writing software to exploit them. Anthropic's team reported spending $4,000 in API credits attempting to generate proof-of-concept exploits, but only succeeded in two instances.

This collaboration provides a clear illustration of how AI can serve as a powerful augmentation tool for human security teams, particularly within the open-source ecosystem where resources can be constrained. The model's difficulty in creating exploits suggests that human expertise remains essential for validating and assessing the true risk of discovered flaws. The outcome indicates that AI-driven security audits may become a more common component of the software development lifecycle, offering a scalable method to improve code integrity before it reaches users.

The successful use of an LLM to find, but not easily exploit, critical vulnerabilities in a major browser signals a shift where AI will become a standard tool for defensive security auditing, rather than an imminent offensive threat.