Anthropic partnered with Mozilla to use Claude Opus 4.6 for automated vulnerability research in Firefox. Over two weeks, Claude discovered 22 CVEs, 14 of which Mozilla classified as high-severity—nearly a fifth of all high-severity Firefox vulnerabilities remediated in 2025. The process involved scanning ~6,000 C++ files and submitting 112 unique bug reports, with fixes shipped in Firefox 148.0. Claude also attempted to exploit discovered bugs, succeeding in only 2 of several hundred attempts, and only in sandboxed test environments. Key technical lessons include using 'task verifiers' to let agents check their own work, and submitting minimal test cases, proofs-of-concept, and candidate patches alongside reports. Anthropic warns that the gap between AI vulnerability discovery and exploitation capabilities may close soon, urging developers to act now. They also announced Claude Code Security for bringing these capabilities to customers and open-source maintainers.
Table of contents
From model evaluations to a security partnershipFrom identifying vulnerabilities to writing primitive exploitsWhat's next for AI-enabled cybersecurityThe urgency of the momentSort: