Claude AI Found Over 100 Bugs in Firefox in Just Two Weeks — 14 Were High-Severity

Firefox browser logo with cybersecurity vulnerability detection visualization

Anthropic’s Claude Opus 4.6 was pointed at Mozilla’s Firefox codebase for two weeks in January. It found over 100 bugs, 14 of them high-severity — more vulnerabilities than human security researchers typically discover in two months of testing. Mozilla has now confirmed the results and the two companies have formalized a security partnership.

The timing, of course, is impeccable. Anthropic is in the middle of the biggest PR crisis in its short history — the Pentagon labeled it a “supply chain risk,” the Department of Defense terminated a $200 million contract, and the company is fighting to prove that AI can be used for good. What better way to make that case than having your AI catch more browser bugs in two weeks than an army of security researchers does in two months?

The Numbers Are Genuinely Impressive

According to the Wall Street Journal, Claude Opus 4.6 discovered over 100 bugs in Firefox during a two-week testing period in January 2026. Of those:

  • 14 were classified as high-severity — the kind of vulnerabilities that could potentially be exploited by attackers
  • 22 were confirmed as actionable security vulnerabilities that Mozilla has validated and is working to fix
  • The remainder included lower-severity bugs, code quality issues, and potential security weaknesses

To put this in perspective, Mozilla typically receives fewer bug reports in an entire two-month period than what Claude produced in 14 days. The AI didn’t just find more bugs — it found them faster and with a higher hit rate on serious vulnerabilities.

How Claude Hunted Bugs

Firefox is one of the largest open-source codebases in the world, with millions of lines of C++, Rust, and JavaScript. Anthropic’s approach involved having Claude Opus 4.6 systematically analyze sections of the codebase, looking for patterns that indicate common vulnerability types: memory safety issues, use-after-free bugs, buffer overflows, logic errors in security-critical code paths, and more.

This isn’t the first time AI has been used for bug hunting, but the scale and success rate are notable. Previous AI-powered security tools have typically found bugs at rates comparable to or slightly better than automated fuzzers. Claude’s results suggest that large language models with deep code understanding can significantly outperform traditional automated testing approaches.

Mozilla Welcomes the Help

Mozilla has embraced the partnership, with the company publicly praising the results. Anthropic announced on March 6 that the two companies are formalizing their collaboration to “improve Firefox’s security” on an ongoing basis.

For Mozilla, this is free security testing at a scale they couldn’t easily afford on their own. Firefox has been losing market share for years, and security has always been one of its strongest selling points against Chrome. Having an AI partner that can audit your code faster than any human team is a significant competitive advantage — even if the partner happens to be embroiled in a Pentagon controversy.

The Strategic Timing Is Hard to Ignore

Let’s be clear about what’s happening here. Anthropic is under fire from the U.S. government. The Pentagon has labeled the company a “supply chain risk.” The $200 million defense contract with Anthropic collapsed over acceptable use restrictions. And CEO Dario Amodei has been publicly calling out OpenAI’s military dealings as “straight up lies.”

In the middle of all this, Anthropic announces that its AI found a hundred bugs in one of the most important pieces of consumer software on the internet. The message is unmistakable: See? AI can be used to protect people, not just spy on them.

Whether or not the timing was deliberate (it almost certainly was), the results speak for themselves. Finding 14 high-severity vulnerabilities in Firefox before attackers could exploit them is genuinely valuable security work. Every one of those bugs fixed is a potential breach prevented, a zero-day that won’t be sold on the dark web.

What This Means for AI-Powered Security

The Firefox results are likely just the beginning. If Claude can find 100+ bugs in two weeks in one codebase, the implications for software security are enormous:

  • Open-source projects with limited security budgets could get AI audits at a fraction of the cost of human penetration testing
  • Critical infrastructure software — operating systems, databases, networking stacks — could be systematically scanned
  • Enterprise applications could undergo continuous AI security review as part of their CI/CD pipelines

Google’s Threat Intelligence Group just reported that 90 zero-day vulnerabilities were exploited in 2025, up from 78 in 2024. The attackers are getting faster. AI-powered defense might be the only way to keep up.

The Bottom Line

Anthropic’s Claude finding 100+ Firefox bugs in two weeks is genuinely impressive — and strategically brilliant PR at a time when the company desperately needs to show that AI can be a force for good. The results are real, the vulnerabilities are real, and Firefox users will be safer because of it.

But don’t miss the chess move: while the Pentagon debates whether Anthropic is a security risk, Anthropic is out here making the internet more secure than the Defense Department ever could. Sometimes the best defense isn’t a $200 million contract — it’s two weeks with a really smart AI.