Mozilla has patched 271 security vulnerabilities in Firefox 150 after running the browser’s codebase through an early version of Anthropic’s Claude Mythos Preview, a model restricted to vetted partners through Anthropic’s Project Glasswing program.
Firefox CTO Bobby Holley, writing on the Mozilla blog on Tuesday, said the team has “found no category or complexity of vulnerability that humans can find that this model can’t.”
The figure marks a sharp jump from Mozilla’s earlier collaboration with Anthropic. Starting in February, the Firefox security team used Claude Opus 4.6 to scan the codebase and shipped fixes for 22 security-sensitive bugs in Firefox 148. Mythos produced more than 12 times as many in its first pass.
Holley framed the advance in terms of cost rather than capability. An elite researcher, he argued, could find the same bugs in principle, but at a price measured in months of work per flaw. Mythos surfaces them at scale, which is what begins to erode the attacker-defender asymmetry.
Questions Remain Over What the 271 Bugs Actually Are
The 271 number has drawn scrutiny. Mozilla’s official Firefox 150 security advisory, MFSA 2026-30, lists 41 CVE entries, of which only three individually credit the Anthropic team using Claude: CVE-2026-6746, CVE-2026-6757, and CVE-2026-6758.
The gap was flagged, among others, by SecurityWeek, which suggested the rest are most likely low-severity defects, hardening fixes, or flaws sitting behind execution paths that attackers cannot realistically reach, none rising to the level of a public CVE. No severity breakdown or per-bug detail has been published.
That opacity has fed broader skepticism. Bruce Schneier, a security technologist and Lecturer in Public Policy at the Harvard Kennedy School, called the launch “a PR play by Anthropic” on his blog, pointing to work by security firm Aisle that reproduced some of Anthropic’s findings using older and cheaper models that are already public.
The access debate sharpened further with a disclosure on April 21. Bloomberg reported that a private Discord group had accessed Claude Mythos Preview on April 7, the day Project Glasswing was announced, using a third-party contractor credential and information apparently learned from a March Mercor breach to guess the model’s URL pattern.
Anthropic confirmed it is investigating and said it has found no evidence the activity reached its own infrastructure. Still, the episode exposed a structural gap in the restricted-access model: containment depends on every third-party vendor in the chain, not just Anthropic’s own controls.
