Partnering with Mozilla to improve Firefox’s security

Source: Anthropic Date: 2026-03-06 URL: https://www.anthropic.com/news/mozilla-firefox-security

Summary

Anthropic partnered with Mozilla to run Claude against Firefox’s C++ codebase for automated vulnerability research. Over two weeks, Claude scanned nearly 6,000 C++ files and submitted 112 unique reports; Mozilla triaged 22 confirmed vulnerabilities, 14 classified as high-severity. A Use After Free in the JavaScript engine was identified within twenty minutes of starting. Mozilla released fixes in Firefox 148.0, patching issues that represented roughly one-fifth of all high-severity Firefox vulnerabilities remediated in 2025. The work extended to broader open-source software, with Claude identifying over 500 zero-day vulnerabilities across projects.

Implications

• Demonstrates a repeatable pattern for AI-assisted security research on large C/C++ codebases: automated scanning at scale, followed by human triage of prioritized candidates with minimal test cases and candidate patches attached.
• The 500+ zero-day count across open-source projects is a data point on the economic magnitude of the security backlog AI can now surface at low marginal cost — previously gated behind scarce human security researcher time.
• Mozilla’s three-part verification requirement (minimal repro, proof-of-concept, candidate patch) is a practical template for trust calibration when integrating AI findings into a security workflow.
• Feeds the thread on AI applied to infrastructure safety: the value proposition here is throughput and coverage on memory-unsafe codebases, not replacing human judgment on severity and remediation.