Mozilla's CTO last month claimed AI-assisted vulnerability detection had made "zero-days" obsolete. However, the company has now provided a behind-the-scenes look at its use of Anthropic Mythos to identify 271 Firefox security flaws over two months. Engineers said their breakthrough was due to improvements in the models and the development of a custom "harness" that supported Mythos as it analyzed Firefox source code.
The harness is a piece of code that wraps around an LLM (large language model) to guide it through specific tasks, requiring significant resources to customize. Mozilla's team built a harness that gave Mythos access to the same tools and pipeline used by human developers, including special testing builds.
According to engineers, the use of Mythos with the custom harness resulted in "almost no false positives." This is a significant improvement over earlier attempts at AI-assisted vulnerability detection, which often produced plausible-looking bug reports but were frequently found to be inaccurate upon further investigation.
Mozilla's work with Anthropic Mythos suggests that AI-assisted vulnerability detection can be a valuable tool for identifying security flaws, but it requires careful customization and integration into existing development processes.
