271 bugs found in Firefox, zero written by a human attacker. What this means for the future of safe code + 2 prompts

Source: Nate’s Newsletter Date: 2026-05-08 URL: https://natesnewsletter.substack.com/p/ai-code-trust-verification-shift

Summary

Mozilla’s Mythos experiment used a purpose-built AI vulnerability model to find 271 bugs in Firefox — compared to 22 found by a general-purpose model — without a human attacker involved. The article argues this marks a trust inversion: AI-generated and AI-reviewed code is becoming the more secure baseline, while human-written code inherits the legacy legibility problems that make it harder for adversarial AI review tools to analyze. The window for refactoring codebases into a machine-readable state is described as short and closing.

Implications

• Code legibility is now a security property, not just a maintainability one — poorly organized codebases are increasingly liabilities because next-generation security tooling cannot analyze what humans cannot read.
• The asymmetry between general-purpose models (22 bugs) and purpose-built vulnerability models (271 bugs) signals that specialized agents will outperform general coding agents on security-sensitive tasks by a wide margin.
• For teams shipping AI-assisted code, the pressure shifts from “did a human review this” to “is this codebase legible enough for adversarial AI audit” — a meaningfully different bar that favors clean, modular, low-surface-area codebases.