{"id":85478,"date":"2026-04-21T11:29:17","date_gmt":"2026-04-21T18:29:17","guid":{"rendered":"https:\/\/blog.mozilla.org\/?p=85478"},"modified":"2026-04-21T11:29:19","modified_gmt":"2026-04-21T18:29:19","slug":"ai-security-zero-day-vulnerabilities","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/en\/privacy-security\/ai-security-zero-day-vulnerabilities\/","title":{"rendered":"The zero-days are numbered\u00a0"},"content":{"rendered":"\n
\"Multiple<\/figure>\n\n\n\n

Since February, the Firefox team has been working around the clock using frontier AI models to find and fix latent security vulnerabilities in the browser. We wrote previously<\/a> about our collaboration with Anthropic to scan Firefox with Opus 4.6, which led to fixes for 22 security-sensitive bugs in Firefox 148.<\/p>\n\n\n\n

As part of our continued collaboration with Anthropic, we had the opportunity to apply an early version of Claude Mythos Preview to Firefox. This week\u2019s release of Firefox 150 includes fixes for 271 vulnerabilities identified during this initial evaluation.<\/p>\n\n\n\n

As these capabilities reach the hands of more defenders, many other teams are now experiencing the same vertigo we did when the findings first came into focus. For a hardened target, just one such bug would have been red-alert in 2025, and so many at once makes you stop to wonder whether it\u2019s even possible to keep up.<\/p>\n\n\n\n

Our experience is a hopeful one for teams who shake off the vertigo and get to work. You may need to reprioritize everything else to bring relentless and single-minded focus to the task, but there is light at the end of the tunnel. We are extremely proud of how our team rose to meet this challenge, and others will too. Our work isn\u2019t finished, but we\u2019ve turned the corner and can glimpse a future much better than just keeping up. Defenders finally have a chance to win, decisively.<\/strong><\/p>\n\n\n\n

Until now, the industry has largely fought security to a draw. Vendors of critical internet-exposed software like Firefox take security extremely seriously and have teams of people who get out of bed every morning thinking about how to keep users safe. Nevertheless, we\u2019ve all long quietly acknowledged that bringing exploits to zero was an unrealistic goal. Instead, we aimed to make them so expensive that only actors with functionally unlimited budgets can afford them, and that the cost of burning such an expensive asset disincentivizes those actors against casual use.<\/p>\n\n\n\n

This is because security to date has been offensively-dominant: the attack surface isn\u2019t infinite, but it\u2019s large enough to be difficult to defend comprehensively with the tools we\u2019ve had available. This gives attackers an asymmetric advantage, since they only need to find one chink in the armor.<\/p>\n\n\n\n

We use defense-in-depth<\/em> to apply multiple layers of overlapping defenses, but no layer is bulletproof. Firefox runs each website in a separate process sandbox, but attackers try to combine bugs in the rendering code with bugs in the sandbox to escape to a more privileged context. We\u2019ve led the industry in building and adopting Rust, but we still can\u2019t afford to stop everything to rewrite decades of C++ code, especially since Rust only mitigates certain (very common) classes of vulnerabilities.<\/p>\n\n\n\n

We pair defense-in-depth engineering with an internal red team tasked with staying on the leading edge of automated analysis techniques. Until recently, these have largely been dynamic analysis techniques like fuzzing. Fuzzing is quite fruitful in practice, but some parts of the code are harder to fuzz than others, leading to uneven coverage.<\/p>\n\n\n\n

Elite security researchers find bugs that fuzzers can\u2019t largely by reasoning through the source code. This is effective, but time-consuming and bottlenecked on scarce human expertise. Computers were completely incapable of doing this a few months ago, and now they excel at it. We have many years of experience picking apart the work of the world\u2019s best security researchers, and Mythos Preview is every bit as capable. So far we\u2019ve found no category or complexity of vulnerability that humans can find that this model can\u2019t.<\/p>\n\n\n\n

This can feel terrifying in the immediate term, but it\u2019s ultimately great news for defenders. A gap between machine-discoverable and human-discoverable bugs favors the attacker, who can concentrate many months of costly human effort to find a single bug. Closing this gap erodes the attacker’s long-term advantage by making all discoveries cheap.<\/p>\n\n\n\n

Encouragingly, we also haven\u2019t seen any bugs that couldn\u2019t<\/em> have been found by an elite human researcher.<\/strong> Some commentators predict that future AI models will unearth entirely new forms of vulnerabilities that defy our current comprehension, but we don\u2019t think so. Software like Firefox is designed in a modular way for humans to be able to reason about its correctness. It is complex, but not arbitrarily complex1<\/sup>.<\/p>\n\n\n\n

The defects are finite, and we are entering a world where we can finally find them all.<\/p>\n\n\n\n

\n\n\n\n

1 <\/sup> There\u2019s a risk that codebases begin to surpass human comprehension as a result of more AI in the development process, scaling bug complexity along with (or perhaps faster than) discovery capability. Human-comprehensibility is an essential property to maintain, especially in critical software like browsers and operating systems.<\/p>\n","protected":false},"excerpt":{"rendered":"

Since February, the Firefox team has been working around the clock using frontier AI models to find and fix latent security vulnerabilities in the browser. We wrote previously about our collaboration with Anthropic to scan Firefox with Opus 4.6, which led to fixes for 22 security-sensitive bugs in Firefox 148. As part of our continued […]<\/p>\n","protected":false},"author":1850,"featured_media":85480,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30,289374],"tags":[],"coauthors":[462265],"acf":[],"yoast_head":"\nThe zero-days are numbered\u00a0<\/title>\n<meta name=\"description\" content=\"AI security tools help Firefox uncover and fix hundreds of vulnerabilities, shifting the balance against zero-day exploits.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/en\/privacy-security\/ai-security-zero-day-vulnerabilities\/\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/en\/privacy-security\/ai-security-zero-day-vulnerabilities\/\",\"url\":\"https:\/\/blog.mozilla.org\/en\/privacy-security\/ai-security-zero-day-vulnerabilities\/\",\"name\":\"The zero-days are numbered\u00a0\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.mozilla.org\/en\/privacy-security\/ai-security-zero-day-vulnerabilities\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.mozilla.org\/en\/privacy-security\/ai-security-zero-day-vulnerabilities\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blog.mozilla.org\/wp-content\/blogs.dir\/278\/files\/2026\/04\/Cursor_Orange_1920x1080-scaled.jpeg\",\"datePublished\":\"2026-04-21T18:29:17+00:00\",\"dateModified\":\"2026-04-21T18:29:19+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/en\/#\/schema\/person\/39c72fc5fe3131938ca29bc4d0fc71e5\"},\"description\":\"AI security tools help Firefox uncover and fix hundreds of vulnerabilities, shifting the balance against zero-day exploits.\",\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/en\/privacy-security\/ai-security-zero-day-vulnerabilities\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/en\/privacy-security\/ai-security-zero-day-vulnerabilities\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/en\/privacy-security\/ai-security-zero-day-vulnerabilities\/#primaryimage\",\"url\":\"https:\/\/blog.mozilla.org\/wp-content\/blogs.dir\/278\/files\/2026\/04\/Cursor_Orange_1920x1080-scaled.jpeg\",\"contentUrl\":\"https:\/\/blog.mozilla.org\/wp-content\/blogs.dir\/278\/files\/2026\/04\/Cursor_Orange_1920x1080-scaled.jpeg\",\"width\":2560,\"height\":1440,\"caption\":\"Multiple white cursor arrows scattered across a bright orange background.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/en\/privacy-security\/ai-security-zero-day-vulnerabilities\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"The zero-days are numbered\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/en\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/en\/\",\"name\":\"The Mozilla Blog\",\"description\":\"News and Updates about Mozilla\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/en\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/en\/#\/schema\/person\/39c72fc5fe3131938ca29bc4d0fc71e5\",\"name\":\"Bobby Holley\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/en\/#\/schema\/person\/image\/3778421c0b7c4656b76e9453776e3e22\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/ac57223c49d41049a4917e187b854377?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/ac57223c49d41049a4917e187b854377?s=96&d=mm&r=g\",\"caption\":\"Bobby Holley\"},\"description\":\"CTO, Firefox\",\"url\":\"https:\/\/blog.mozilla.org\/en\/author\/bholleymozilla-com\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"The zero-days are numbered\u00a0","description":"AI security tools help Firefox uncover and fix hundreds of vulnerabilities, shifting the balance against zero-day exploits.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/en\/privacy-security\/ai-security-zero-day-vulnerabilities\/","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/en\/privacy-security\/ai-security-zero-day-vulnerabilities\/","url":"https:\/\/blog.mozilla.org\/en\/privacy-security\/ai-security-zero-day-vulnerabilities\/","name":"The zero-days are numbered\u00a0","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.mozilla.org\/en\/privacy-security\/ai-security-zero-day-vulnerabilities\/#primaryimage"},"image":{"@id":"https:\/\/blog.mozilla.org\/en\/privacy-security\/ai-security-zero-day-vulnerabilities\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.mozilla.org\/wp-content\/blogs.dir\/278\/files\/2026\/04\/Cursor_Orange_1920x1080-scaled.jpeg","datePublished":"2026-04-21T18:29:17+00:00","dateModified":"2026-04-21T18:29:19+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/en\/#\/schema\/person\/39c72fc5fe3131938ca29bc4d0fc71e5"},"description":"AI security tools help Firefox uncover and fix hundreds of vulnerabilities, shifting the balance against zero-day exploits.","breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/en\/privacy-security\/ai-security-zero-day-vulnerabilities\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/en\/privacy-security\/ai-security-zero-day-vulnerabilities\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/en\/privacy-security\/ai-security-zero-day-vulnerabilities\/#primaryimage","url":"https:\/\/blog.mozilla.org\/wp-content\/blogs.dir\/278\/files\/2026\/04\/Cursor_Orange_1920x1080-scaled.jpeg","contentUrl":"https:\/\/blog.mozilla.org\/wp-content\/blogs.dir\/278\/files\/2026\/04\/Cursor_Orange_1920x1080-scaled.jpeg","width":2560,"height":1440,"caption":"Multiple white cursor arrows scattered across a bright orange background."},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/en\/privacy-security\/ai-security-zero-day-vulnerabilities\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/en\/"},{"@type":"ListItem","position":2,"name":"The zero-days are numbered\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/en\/#website","url":"https:\/\/blog.mozilla.org\/en\/","name":"The Mozilla Blog","description":"News and Updates about Mozilla","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/en\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/en\/#\/schema\/person\/39c72fc5fe3131938ca29bc4d0fc71e5","name":"Bobby Holley","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/en\/#\/schema\/person\/image\/3778421c0b7c4656b76e9453776e3e22","url":"https:\/\/secure.gravatar.com\/avatar\/ac57223c49d41049a4917e187b854377?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/ac57223c49d41049a4917e187b854377?s=96&d=mm&r=g","caption":"Bobby Holley"},"description":"CTO, Firefox","url":"https:\/\/blog.mozilla.org\/en\/author\/bholleymozilla-com\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/posts\/85478"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/users\/1850"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/comments?post=85478"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/posts\/85478\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/media\/85480"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/media?parent=85478"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/categories?post=85478"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/tags?post=85478"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/coauthors?post=85478"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}