Artificial intelligence is now helping security teams uncover critical software bugs faster than ever before.
Quick Summary – TLDR:
- Anthropic’s Claude Opus 4.6 discovered 22 security vulnerabilities in Firefox during a two week collaboration with Mozilla.
- 14 of the vulnerabilities were classified as high severity, posing serious security risks.
- Most issues have already been fixed in Firefox 148, released in February 2026.
- The experiment shows how AI driven security research could transform vulnerability detection.
What Happened?
Anthropic partnered with Mozilla to test whether its AI model Claude Opus 4.6 could help identify real security vulnerabilities inside the Firefox browser. During the two week collaboration, the AI discovered 22 previously unknown vulnerabilities, including 14 classified as high severity by Mozilla’s security team.
Most of these flaws were fixed in Firefox version 148, which was released in February 2026, while the remaining issues are expected to be addressed in upcoming updates.
We partnered with Mozilla to test Claude’s ability to find security vulnerabilities in Firefox.
— Anthropic (@AnthropicAI) March 6, 2026
Opus 4.6 found 22 vulnerabilities in just two weeks. Of these, 14 were high-severity, representing a fifth of all high-severity bugs Mozilla remediated in 2025. pic.twitter.com/It1uq5ATn9
AI Put to Work Auditing Firefox Security
The project began as an experiment to measure how well advanced AI systems could identify real software vulnerabilities. Anthropic researchers selected Firefox as the testing ground because it is considered one of the most secure and extensively tested open source browsers in the world.
The team first used Claude to reproduce previously known security issues from older Firefox versions. After confirming the model could reliably detect those historical vulnerabilities, the researchers asked the AI to analyze the current version of Firefox in search of new and previously undiscovered bugs.
Claude initially focused on Firefox’s JavaScript engine, which processes code from websites and is often a major target for attackers. Within roughly twenty minutes of exploring the code, the AI reported a Use After Free vulnerability, a type of memory error that can allow attackers to overwrite data with malicious code.
Researchers validated the finding and submitted it to Mozilla through Bugzilla, the company’s official bug tracking platform. Along with the vulnerability report, Claude also helped generate a candidate patch intended to fix the issue.
Large Scale Code Scanning
During the research effort, Claude analyzed nearly 6,000 C++ files within the Firefox codebase. The team ultimately submitted 112 unique bug reports to Mozilla, which included a mix of high severity and moderate severity vulnerabilities.
Mozilla engineers then reviewed the reports, confirmed the most serious issues, and began rolling out fixes to users. According to Mozilla’s security classification, 14 of the vulnerabilities discovered by Claude were considered high severity, meaning they could potentially allow attackers to compromise user systems or access sensitive information.
The partnership also required close coordination between the researchers and Mozilla’s internal security team. Mozilla encouraged Anthropic to submit findings in bulk, even when the researchers were not fully certain whether each crash scenario represented a serious vulnerability.
Testing Whether AI Could Exploit the Bugs
Anthropic researchers also wanted to understand whether the AI could go beyond discovering bugs and actually exploit them.
To test this, Claude was given the vulnerabilities it had discovered and was asked to build proof of concept exploits. The goal was to demonstrate a simulated attack where the AI could read and write files on a target system.
Despite several hundred attempts and around four thousand dollars in API usage, the model succeeded in building working exploits for only two vulnerabilities.
This result showed that Claude is significantly better at discovering vulnerabilities than exploiting them. The exploits also worked only in a controlled testing environment where certain security protections were removed.
Modern web browsers use multiple defensive layers such as sandboxing, which limits the impact of vulnerabilities even if attackers find them.
Why This Matters for Software Security?
The results highlight how AI tools could dramatically speed up vulnerability discovery. Security researchers often spend months analyzing complex software projects to find flaws. In this case, Claude identified dozens of potential vulnerabilities in just two weeks.
Firefox serves hundreds of millions of users worldwide, making security extremely important. Browsers regularly interact with untrusted content from websites, which means any vulnerability could potentially expose users to malicious attacks.
The experiment also showed that AI can help security teams review large codebases more efficiently. While human experts are still needed to verify, prioritize, and fix issues, AI systems can rapidly scan code and flag suspicious behavior.
SQ Magazine Takeaway
I believe this partnership offers a clear glimpse into the future of cybersecurity. AI will not replace security researchers, but it will amplify their capabilities in a massive way. Finding vulnerabilities across millions of lines of code is incredibly difficult for humans alone. When AI can scan thousands of files and highlight dangerous patterns in minutes, security teams gain a powerful advantage.
At the same time, the research also shows an important balance. Claude can find vulnerabilities much faster than it can exploit them. For now, that gives defenders an edge. But as AI systems improve, the industry will need to move quickly to strengthen defenses and stay ahead of potential misuse.
