SCWorld.com reported that “Mozilla patched 22 vulnerabilities in Firefox that were discovered by Anthropic’s Claude Opus 4.6 AI model. Anthropic said Friday that Claude discovered the first vulnerability, a use-after-free in Firefox’s JavaScript engine, within 20 minutes of exploring the open-source browser’s codebase.” The March 10, 2026 report entitled ” Mozilla fixes 22 Firefox vulnerabilities discovered by Anthropic’s Claude AI” (https://tinyurl.com/3d8yxwc8) included these comments:
Human researchers validated the flaw, as well as a proposed patch written by Claude, and reported it through Mozilla’s Bugzilla issue tracker. Mozilla then invited Anthropic to submit future Claude-discovered flaws “in bulk” without the need to be manually validated by the Anthropic team, the company said.
“Critically, their bug reports included minimal test cases that allowed our security team to quickly verify and reproduce each issue,” Mozilla said in a blog post Friday.
Of the 22 CVEs discovered, Mozilla flagged 14 as high severity. The flaws were fixed in Firefox version 148 on Feb. 24, 2026.
Anthropic emphasized the importance of working closely with open-source maintainers like Mozilla to avoid false positives and submit high-quality reports when using large language models (LLMs) for open-source vulnerability discovery.
Concerns have been raised about the recent surge in AI-generated bug reports for open-source projects, which can place a substantial burden on volunteer maintainers when reports lack detail or a proposed fix, an issue that led cURL to terminate its bug bounty program in January.
Anyone surprised?
First published at https://www.vogelitlaw.com/blog/anthropics-claude-ai-discovered-22-vulnerabilities-in-firefox-in-20-minutes