As soon as Anthropic revealed the tremendous power of Mythos to find exploitable bugs in code, the same idea occurred to everyone simultaneously: Is it possible to completely evaluate a code base, fix all the vulns, and publish vuln-free code?
There is no question that would be a game changer. There remains a minor problem with actually being able to claim code is perfect. I’ll leave that to the Trustworthy Computing folks. Certainly, if you can point Mythos at your code and fix everything it finds you have produced much better code.
On Tuesday Mozilla posted:
As part of our continued collaboration with Anthropic, we had the opportunity to apply an early version of Claude Mythos Preview to Firefox. This week’s release of Firefox 150 includes fixes for 271 vulnerabilities identified during this initial evaluation.
This is it. This is the beginning of improved code across the world.
The Mozilla blog goes on to state unequivocally that computers were completely incapable of reasoning through source code a few months ago, and now they excel at it, exceeding even the best human researchers.
Historically, having egregiously bad code has had consequences in a few notable instances. Flash is practically dead. Adobe had its struggles. Microsoft Internet Explorer was forced into extinction. But there are plenty of cases of code being replete with vulnerabilities for decades and yet still winning in the marketplace. That is pretty much the story of most Microsoft products, at least early on.
Is it going to be different this time? Mozilla was the first developer which had access to Mythos to issue a Mythos-scrubbed update. I am writing this on Firefox 150.
When it announced Project Glasswing ten days ago Anthropic did not even mention Mozilla. Those lucky few that were granted early access were: Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. We anxiously await their improved code.
Mozilla has shown the way. Microsoft, Apple, and Google are now on notice. Show us the results of your application of Mythos to your code bases for Edge, Safari, and Chrome.
We will know that Mythos has materially changed the game when the number of Chrome CVEs reported each year drops to single digits.
Ending with one more quote from the Mozilla announcement.
As these capabilities reach the hands of more defenders, many other teams are now experiencing the same vertigo we did when the findings first came into focus. For a hardened target, just one such bug would have been red-alert in 2025, and so many at once makes you stop to wonder whether it’s even possible to keep up.
Join me today for a discussion of the impact of Mythos with Jeremiah Grossman and Jim Dubois. Register here.
