The takeaway: While some companies are struggling with a flood of unreliable or hallucinated AI-generated bug reports, Mozilla is finding real value in bug-seeking bots. The foundation has begun working with Anthropic to strengthen Firefox's security, and several AI-assisted bug fixes have already landed in the browser's codebase.
Mozilla is now working with Anthropic's Frontier Red Team to identify and patch potentially dangerous security vulnerabilities in Firefox. According to Mozilla, the AI company approached them a few weeks ago with results from a newly developed, AI-assisted bug-hunting method. The approach appears to work, Mozilla said, and could ultimately lead to a safer Firefox experience for everyone.
Anthropic's team focused on Firefox's JavaScript engine, in part because the Red Panda browser offers a widely used and "deeply scrutinized" open-source codebase that makes it ideal for testing new analysis techniques. The AI system uncovered several security flaws in the JS engine and also produced minimal test cases, allowing Firefox developers to quickly verify and reproduce the issues.
In total, developers confirmed 14 high-severity security bugs, which resulted in 22 separate CVE tracking IDs. Mozilla said all of these issues have already been fixed in the latest Firefox release (version 148.0). The process also uncovered 90 additional low-priority bugs, which have since been addressed.
Mozilla emphasized that Anthropic's approach to bug reporting differs significantly from other AI-driven efforts. Some major open-source projects, including curl, have been forced to discourage or outright ban AI-generated contributions after being flooded with low-quality submissions from users attempting to earn bug bounty rewards without proper vetting.
Many of the vulnerabilities uncovered through Anthropic's technique are typically discovered through fuzzing, an automated testing method that feeds unexpected inputs into software to trigger crashes. However, Mozilla said the AI model also identified several classes of logic bugs that traditional fuzzing techniques often miss.
After seeing the results, Mozilla plans to incorporate the new AI-assisted method into its broader security and development workflow. The organization expects Anthropic's Claude models and other advanced AI systems to help uncover additional issues in the future.
If the approach proves scalable, it could also help identify large numbers of previously "undiscoverable" bugs across other popular open-source projects where fuzzing and other traditional techniques have reached their limits without the help of AI.