A new security collaboration between Anthropic and Mozilla shows how AI can strengthen software security.
During the partnership, Anthropic’s AI model discovered 22 vulnerabilities in the Mozilla Firefox codebase, and 14 were classified as high-severity.
This emerged after only two weeks of analysis. Most of the vulnerabilities have already been fixed.
Mozilla included many of the patches in Firefox 148, which was released in February. However, several fixes will arrive in the browser’s next update.
Firefox
Firefox has a large, highly complex codebase. Second, the browser has undergone years of rigorous security testing.
Developers widely consider it one of the most secure open-source projects available today. Because of this reputation, Firefox offered a strong test case.
If an AI model could find vulnerabilities in such a mature system, the results would carry real weight.
Anthropic explained that Firefox represents both a challenging and well-tested environment. Therefore, it was the ideal setting to evaluate AI security analysis.
Claude Opus 4.6
For the project, Anthropic relied on its advanced AI system, Claude Opus version 4.6.
The model began its analysis inside Firefox’s JavaScript engine. This component runs scripts that power interactive features on websites.
Because almost every modern website uses JavaScript, this engine often becomes a major target for attackers.
Claude first reviewed this section of the browser’s code, then it gradually expanded its analysis to other areas of the Firefox codebase.
Over the two weeks, the AI system scanned large volumes of code and flagged suspicious patterns.
Human researchers later reviewed the results to confirm which findings represented genuine vulnerabilities.
Also read: Inside the Anthropic, OpenAI, and Department of War AI Public Fight
Vulnerabilities
By the end of the experiment, the team had confirmed 22 separate security vulnerabilities.
Among them were 14 high-severity vulnerabilities, several moderate-risk issues, and a small number of lower-severity bugs.
High-severity flaws can create serious problems. In some situations, attackers may use them to crash software or execute malicious code.
Because of these risks, Mozilla moved quickly to address the vulnerabilities. Most of the fixes were included in Firefox 148. However, some patches require deep technical changes.
Those fixes will appear in a future browser release.
Bugs
Although Claude proved highly effective at detecting vulnerabilities, the system showed limits when attempting to create exploits.
To test this ability, Anthropic tried to generate proof-of-concept attacks. These programs demonstrate how a vulnerability could be used in a real attack.
The team spent about $4,000 in API credits running these experiments.
Despite the investment, Claude successfully produced working exploit examples for only two vulnerabilities.
This reveals something important: AI systems can detect weaknesses in code, but turning those weaknesses into practical attacks remains far more difficult.
