AI as a Bug Hunter
In one of the most impressive demonstrations of AI-powered security research to date, Anthropic’s Claude Opus 4.6 discovered 22 separate vulnerabilities in Mozilla Firefox over a two-week period. Of those, 14 were classified as high-severity.
The findings came out of a security partnership between Anthropic and Mozilla, with results published on March 6, 2026.
The Numbers
- 112 total bug reports submitted to Mozilla
- 22 confirmed security vulnerabilities
- 14 high-severity classifications
- ~$4,000 in API credits spent
- Most fixes shipped in Firefox 148 (released February 2026)
Why Firefox?
Anthropic chose Firefox deliberately — it’s one of the most well-tested and secure open-source projects in the world. Finding new bugs in a codebase that’s been picked over by security researchers for decades is genuinely impressive.
The team started with Firefox’s JavaScript engine and expanded outward. Across all open-source projects tested, Claude found over 500 previously unknown flaws.
The Interesting Caveat
Claude was far better at finding vulnerabilities than exploiting them. Despite spending $4,000 in compute trying to generate proof-of-concept exploits, the team only succeeded in two cases. This is actually reassuring — it suggests AI tools are currently better suited as defensive assets than offensive ones.
What This Means
This is a significant moment for AI in cybersecurity. Traditional security auditing is expensive, slow, and limited by human attention spans. An AI model grinding through millions of lines of code at scale — finding bugs that human reviewers missed — could transform how we secure open-source software.
It also raises questions about the flip side: if AI can find vulnerabilities this efficiently, it’s only a matter of time before threat actors use similar techniques offensively. The race between AI-powered defence and AI-powered attack is well and truly on.