Better Rivets

Mozilla published a technical deep-dive on hacks.mozilla.org this morning. Engineers wrote it, not comms. It shows.

There are actual Bugzilla IDs. Actual bug descriptions. A 15-year-old bug in the <legend> element. A 20-year-old XSLT bug. Race conditions across IPC boundaries requiring a compromised content process to manipulate IndexedDB refcounts in the parent to trigger a use-after-free. A raw NaN crossing an IPC boundary that could masquerade as a tagged JavaScript object pointer and hand an attacker a fake-object primitive for a sandbox escape. These aren't hallucinations. These aren't plausible-looking garbage from an LLM that didn't check its work. These are documented, reproduced, confirmed, and patched.

I said show us the rest of the roll. They showed us some of it. The bugs are real and I want to be clear about that before I say anything else.

The numbers got clarified too. The 271 from the announcement was always a subset — Mythos Preview findings for Firefox 150 specifically. The actual total Mozilla fixed across April's releases was 423 security bugs. Of those, 41 were externally reported, 271 came from the Mythos pipeline, and 111 were split between other models, earlier Mythos work shipped outside of 150, and traditional fuzzing. Their typical monthly volume throughout all of 2025 ran 20-30 bugs. April hit 423. That's not a gradual adoption curve. That's a step function.

And of the 271 Mythos bugs: 180 were sec-high. In Mozilla's own framework, sec-high means exploitable with normal user behavior — browsing to a webpage. No unusual permissions, no complex victim choreography. Just: user has Firefox, user opens a tab. Nearly two thirds of the findings were in that category.

The post also documented something I wasn't expecting — what the model couldn't break. Mozilla audited the harness logs and found repeated attempts to pursue sandbox escapes via prototype pollution, a technique that legitimate researchers had successfully used against Firefox before. Every attempt failed. Because Mozilla made an architectural change years ago to freeze those prototypes by default. The model tried. The defense held. That's now documented in logs, against a capable automated attacker. Previous hardening work validated retroactively. That's a new kind of feedback loop and it's genuinely useful.

So. Real bugs. Serious bugs. Real work by a real team. The methodology works and the tool is real.

Now here's what else the post shows us.

Mozilla built their own harness — the scaffolding that tells the model where to look, structures how findings get reported, runs test cases to verify bugs are real and reproducible, and feeds results back into the pipeline so the next pass is smarter than the last. Not "install model, press go." A purpose-built system sitting on top of their existing fuzzing infrastructure, with parallel VMs, one agent per target file, shared findings across instances, and over a hundred engineers behind it handling triage, patching, and release management.

The harness is the system. Mythos is the engine they dropped into it.

Which raises a question the post doesn't ask: how much of the 271 is the model, and how much is the system built around it?

That question got a lot more interesting when I read Davi Ottenheimer's teardown at flyingpenguin of Anthropic's own system card — the 244-page document behind the "too dangerous to release" narrative that justified Glasswing and the restricted access program. The Register put it bluntly: none a human couldn't spot. That's the CTO's own admission turned into a headline. But Ottenheimer goes further. The evaluation that generated all those headlines wasn't real Firefox. It was a SpiderMonkey shell in a container with the process sandbox and all defense-in-depth mitigations stripped out. The bugs weren't found by Mythos — they were pre-discovered by Opus 4.6 and handed to Mythos as a corpus to exploit. And when you remove the two easiest bugs from that corpus, Mythos's full-code-execution rate drops from 72% to 4%. Anthropic's own system card says this, on page 52.

That's the foundational document doing all the policy work. The one that justified restricting access to twelve Glasswing partners. Read carefully it says: give this model the two easiest bugs with the defenses turned off and it performs impressively. Remove those two bugs and it's not meaningfully distinguishable from what you can already access.

I'm not saying the 271 are fake. I'm saying: if the flagship demonstration of what Mythos uniquely can do doesn't hold up to scrutiny, then what Mozilla might actually have demonstrated is that they got really good at building a harness. The model is capable. So is Opus 4.6. So, apparently, is whatever comes after.

The methodology is the news. Not the model.

The Mozilla Hacks post documents this itself, almost in passing. Before Mythos, Mozilla ran Opus 4.6 against Firefox 148. Found 22 bugs. Then they built and refined the harness based on what they learned. Then Mythos ran.

Mythos didn't walk into untouched code. It walked into a codebase that had already been partially cleared, through a harness that had been specifically improved from the Opus run, operated by a team that now knew what signal looked like and how to act on it.

The "Mythos found twelve times more than Opus" comparison floating around isn't a clean A/B test. Different model, yes. But also better harness. More mature pipeline. More experienced team. Partially pre-screened territory. Those variables aren't separated out anywhere in the public documentation.

The 271 is a system result. Mozilla is presenting it with a model's name on the trophy.

Not Mythos specifically. Not any model behind a velvet rope.

What's scary is that the methodology is now understood, documented, and the barrier to entry is dropping every few months. 0DIN's socket is in the README. The harness architecture Mozilla used is now described in enough detail in a public blog post that anyone sufficiently motivated has a roadmap. The question of what to feed the model, how to structure the targeting, how to build the feedback loop — that's being answered publicly and in real time by the people who just ran the most successful security scan in browser history.

Glasswing restricted the model. Mozilla just open-sourced the delivery system.

And here's the thing about the model restriction: if the harness is doing the heavy lifting, then someone who's been quietly building around a publicly available model and getting mediocre results just learned the problem probably wasn't the model. It was what they were feeding it and how. Mozilla just published a detailed description of what better looks like.

Someone waiting for Mythos access might not need to wait. They might just need better rivets.

Mozilla had over a hundred engineers triaging and patching. They described it as long days, extraordinary effort, hard to sustain. They fixed 423 bugs in April. They're proud of it and they should be.

The incentive structure for an offensive operation running the same approach is almost exactly reversed. You don't need a hundred engineers on the other end. You need the bugs. You don't patch them, you stockpile them. The asymmetry that has always defined security — finding is cheaper than fixing — just got a multiplier applied to the finding side.

The logical move isn't waiting for a better model. It's scaling what already works. More instances. More targets in parallel. Iterate on what produces signal. That's a compute budget decision, not a technical breakthrough.

According to TechCrunch reporting on the Axios scoop, the NSA is using Mythos — reportedly for scanning their own environments for vulnerabilities, same as everyone else with access. Defensively. But the NSA's institutional mandate runs in both directions, and nobody is elaborating on where the line sits or how it's enforced. The Pentagon's CTO called Mythos a "separate national security moment" while simultaneously maintaining Anthropic is a supply chain risk. That's not a coherent position. That's two people in the same building disagreeing about which fire to put out first.

The people whose job it is to think through all of this aren't writing blog posts. They were in these rooms before Mozilla published the methodology, and they'll still be there long after the coverage cycle moves on.

Mozilla's announcement told defenders to get started now. That's the right call.

The same post told anyone else that the approach is validated, the barrier is lower than the Mythos narrative implied, and the bottleneck is execution, not access.

The 271 are real. The bugs are fixed. Firefox users are genuinely safer.

And the scariest thing about this week's post isn't in the bug table.

It's in the methodology section.