AI found +100 bugs in Firefox within a week, says Mozilla

While some organizations are struggling to manage waves of unreliable or hallucinated bug reports generated by artificial intelligence, Mozilla is seeing tangible benefits from AI-driven vulnerability research. The foundation recently began collaborating with Anthropic to improve the security of the Firefox browser, and several AI-assisted fixes have already been integrated into the codebase.

Mozilla has partnered with Anthropic’s Frontier Red Team to locate and address potential security weaknesses in Firefox. According to the organization, Anthropic approached them a few weeks ago after testing a new AI-supported bug discovery technique. Mozilla said the results demonstrated clear potential and could help make Firefox more secure for users.

The researchers concentrated on Firefox’s JavaScript engine. Mozilla explained that the browser offers a widely used and well-examined open-source codebase, making it an ideal environment for evaluating new analysis methods. Using the AI system, the team discovered several vulnerabilities in the JavaScript engine and generated minimal test cases, allowing developers to quickly confirm and reproduce the issues.

Developers ultimately verified 14 high-severity security flaws, corresponding to 22 separate CVE identifiers. Mozilla said every one of these vulnerabilities has already been resolved in the most recent Firefox release, version 148.0. The process also surfaced 90 additional issues classified as lower priority, which have also been fixed.

Mozilla noted that Anthropic’s reporting approach stands out from many other AI-related efforts in the open-source world. Some well–known projects, including curl, have recently had to discourage or block AI generated submissions after receiving large numbers of low-quality reports from individuals attempting to collect bug bounty rewards without proper validation.

Many of the weaknesses identified by Anthropic’s method are similar to the vulnerabilities typically revealed by fuzzing. Fuzzing is an automated testing approach that injects unexpected or malformed inputs into software in order to trigger crashes and expose flaws. However, Mozilla said the AI system also identified several categories of logic errors that traditional fuzzing techniques often fail to detect.

Following the success of the collaboration, Mozilla intends to incorporate this AI-supported process into its broader security and development practices. The organization expects Anthropic’s Claude models and other advanced AI systems to play a role in identifying additional vulnerabilities going forward.

If the method proves effective at a larger scale, Mozilla believes it could help uncover significant numbers of previously hidden bugs in other widely used open source projects, particularly in areas where fuzzing and other traditional testing techniques have already reached their limits without assistance from artificial intelligence.