It took Anthropic’s most advanced artificial-intelligence model about 20 minutes to find its first Firefox browser bug during an internal test of its hacking prowess. The Anthropic team submitted it, and Firefox’s developers quickly wrote back: This bug was serious. Could they get on a call?

“What else do you have? Send us more,” said Brian Grinstead, an engineer with Mozilla, Firefox’s parent organization.

Anthropic did. Over a two-week period in January, Claude Opus 4.6 found more high-severity bugs in Firefox than the rest of the world typically reports in two months, Mozilla said.

Tools powered by AI are increasingly adept at spotting vulnerabilities and are beginning to rival the talents of seasoned security experts. Some experts worry that those same capabilities will unleash a new wave of cyberattacks as bugs are discovered and then exploited more quickly than ever before.

Claude’s bug bonanza began after Anthropic’s security team decided that it would be interesting to focus its software on a widely used and complex piece of browser software that has been under the microscope for years.

Firefox is the modern version of the Web’s first commercial browser, Netscape Navigator. Its code is now managed under the umbrella of the not-for-profit Mozilla Foundation. Navigator launched its first bug bounty program more than 30 years ago, offering cash to those who identify potential weaknesses that bad actors could abuse. Mozilla typically pays as much as $6,000 for high-severity bugs.

In the two weeks it was scanning, Claude discovered more than 100 bugs in total, 14 of which were considered “high severity.” That means that if the right “exploit code” had been created, they could have been used in a widespread attack on Firefox’s users.

Last year, Firefox patched 73 bugs that it rated as either high severity or critical.

AI tools are both a blessing and a curse for software developers. In January, the makers of Curl software abandoned their own bug bounty program, citing “an explosion in AI slop reports.” Fewer than one in 20 bugs reported in 2025 were actually real, said Daniel Stenberg, Curl’s lead developer

“The AI chatbots still easily hallucinate security problems,” Stenberg said. “But at the same time, there are quite capable AI-powered code analyzers that find real things,” he said.

Anthropic’s researchers didn’t send in everything that Claude unearthed, focusing only on examples that were reproducible, something that made it much easier for Mozilla’s team to confirm the bugs.

Anthropic’s researchers also asked Claude to build exploit code, but it proved to be much better at finding bugs than exploiting them, according to Logan Graham, the head of Anthropic’s Frontier Red Team, which evaluates Claude for risks. Claude did write two working exploits that worked on a test version of the browser, but they would have been stopped in the real world by Firefox’s other security mechanisms, Graham said.

Still, many security experts say that the speed at which AI systems are finding bugs and turning them into attack code is upending the way organizations defend themselves. “The current methods of cyber defense are not able to handle the speed and frequency of what is going on,” said Gadi Evron, chief executive of the AI cybersecurity firm Knostic.

Source: Yahoo Finance

https://finance.yahoo.com/news/send-us-more-anthropic-claude-103000002.html