Firefox got a head start with Anthropic's Mythos, but Mozilla warns the "open model" window is closing fast

Mozilla patched 423 Firefox bugs in April using Anthropic’s new Mythos AI model. For reference, the browser maker usually ships around 30 fixes a month. Mythos even unearthed a 15-year-old error in HTML parsing and complex sandbox vulnerabilities that human bounty hunters missed for years.

Firefox isn’t the only software that benefited. Open-source multimedia framework FFmpeg also recently thanked Mythos for squashing a 16-year-old bug in its codebase. 

Mozilla’s bug bounty program pays independent researchers up to $20,000 to find sandbox flaws. That is the highest reward available. Mythos discovered these high-severity sandbox issues at a volume humans couldn’t match. The AI effectively simulates thousands of elite security researchers working simultaneously.

Now, Mozilla CTO Raffi Krikorian has issued a warning about these capabilities of advanced AI in a podcast with Bloomberg. Krikorian previously served as the first CTO of the Democratic National Committee and worked in Uber’s advanced technologies group. He knows large-scale infrastructure threats intimately. Krikorian admitted the new AI technology freaks him out.

Tech companies know how to handle security vulnerabilities at scale. The internet infrastructure survived Heartbleed because web developers patch systems daily. Tech giants build codebases specifically designed for rapid, automated updates.

But that’s not quite how other critical infrastructure operates. Power grids, water treatment plants, and local banks run on legacy software. These entities don’t have elite security teams deploying daily patches. Krikorian fears malicious actors will use the same AI techniques to target these fragile systems.

I don’t think my bank knows how to do it. I don’t think my power company knows how to do it. Those are like the other pieces of critical infrastructure that I’m really worried about.

Open-source AI models are catching up to proprietary technology at an alarming rate. Hackers will soon download models with the exact same bug-hunting capabilities as Mythos. They will automate the scanning of vulnerable public infrastructure. Krikorian expects this shift to happen within a year. And it’s not even a stretch to assume so. We’re already seeing some open models match what Anthropic had just a few months ago.

I think it’s only 6 to 9 to 12 months when all the open models can start doing what Mythos is doing. We only actually have a small window of time.

Governments will have to intervene to secure public utility networks before the open models drop. The free market won’t fix public sector infrastructure on its own. Public networks don’t receive the same security investments as private tech products. The financial incentives simply aren’t there.

Krikorian called for a massive global mobilization reminiscent of the Y2K bug response. Corporate boards, insurance companies, and federal regulators forced widespread code updates before the year 2000. And it looks like society needs that exact same level of coordination right now. Tech providers, open-source developers, and database managers require immediate funding to clean up their old code.

We need to have actually a real large scale Y2K like effort to actually start closing a bunch of these critical vulnerabilities.

Whether or not governments around the world are ready for what’s coming is another question.

We stand out from the tech-media crowd because we break news stories; we mainly bring you stuff that you won’t find anywhere in the mainstream tech media. Our stories have been picked up by some of the world’s most popular websites and media outlets—more info is available here.