Mozilla says 271 vulnerabilities found by Mythos have "almost no false positives"

The story

The developer of Firefox says it has "completely bought in" on AI-assisted bug discovery.

From the source

Text settings Story text Size Small Standard Large Width Standard Wide Links Standard Orange Subscribers only Learn more Minimize to nav The disbelief was palpable when Mozilla’s CTO last month declared that AI-assisted vulnerability detection meant “ zero-days are numbered ” and “defenders finally have a chance to win, decisively.” After all, it looked like part of an all-too-familiar pattern: Cherry-pick a handful of impressive AI-achieved results, leave out any of the fine print that might paint a more nuanced picture, and let the hype train roll on.

Mindful of the skepticism, Mozilla on Thursday provided a behind-the-scenes look into its use of Anthropic Mythos—an AI model for identifying software vulnerabilities—to ferret out 271 Firefox security flaws over two months. In a post , Mozilla engineers said the finally ready-for-prime-time breakthrough they achieved was primarily the result of two things: (1) improvement in the models themselves and (2) Mozilla’s development of a custom “ harness ” that supported Mythos as it analyzed Firefox source code.

The engineers said their earlier brushes with AI-assisted vulnerability detection were fraught with “unwanted slop.” Typically, someone would prompt a model to analyze a block of code. The model would then produce plausible-reading bug reports, and often at unprecedented scales. Invariably, however, when human developers further investigated, they’d find a large percentage of the details had been hallucinated. The humans would then need to invest significant work handling the vulnerability reports the old-fashioned way.

Who and what

Key names and topics in this story: Mozilla, Mythos.

Where to follow next

• Read the full piece at arstechnica.com
• More from our AI & prompts coverage