AI Found 22 Firefox Bugs in Two Weeks — What It Means for You
An AI just out-hacked human security researchers
Anthropic’s Frontier Red Team pointed Claude Opus 4.6 at the Firefox codebase and let it run for two weeks. The result: 22 new security vulnerabilities, including 14 rated high-severity. One of them, CVE-2026-2796, scored a 9.8 out of 10 on the severity scale — about as dangerous as a software bug gets.
Mozilla patched everything in Firefox 148 within days. But the speed of discovery matters more than any single patch. Firefox is one of the most well-tested open-source projects in the world. If AI can find critical flaws that years of human review missed, the security landscape just changed for everyone — including your business.
What Anthropic’s red team actually found
Anthropic chose Firefox deliberately. It is a mature, heavily audited codebase with an active bug bounty program. Finding new vulnerabilities there means AI is not just catching low-hanging fruit.
Here is what the numbers look like:
| Metric | Result |
|---|---|
| Total vulnerabilities found | 22 |
| High-severity | 14 |
| Moderate-severity | 7 |
| Low-severity | 1 |
| Time to discovery | 14 days |
| API cost for the entire run | ~$4,000 |
| Crash reports submitted to Mozilla | 112 |
Claude started with Firefox’s JavaScript engine and expanded from there. It submitted 112 unique crash reports to Mozilla’s Bugzilla tracker. The AI identified logic errors — the kind of subtle flaws that slip past automated fuzzers and human code reviewers alike.
The most critical find, CVE-2026-2796, exploited a type confusion in the JavaScript WebAssembly component. Claude did not just find the bug. It wrote a working exploit that achieved arbitrary code execution in Firefox’s JS engine.
Anthropic was candid about the limitations. The exploit only worked in a testing environment with some browser sandboxing removed. Claude is not yet writing full-chain exploits that could compromise a real user’s machine. But as Anthropic noted, “looking at the rate of progress, it is unlikely that the gap between frontier models’ vulnerability discovery and exploitation abilities will last very long.”
Why this matters for small businesses
You might think browser security research has nothing to do with running a restaurant or a plumbing company. It does — and here is why.
Attackers get these tools too. If a defensive AI can find 22 vulnerabilities in a hardened codebase for $4,000, a malicious actor can use the same technology to find weaknesses in less secure software. The tools your business relies on — your point-of-sale system, your scheduling app, your customer database — are far less battle-tested than Firefox.
Small businesses are already the primary target. 43% of all cyberattacks target small businesses, and employees at small companies face 350% more social engineering attacks than those at large enterprises. The average breach costs a small business $120,000, and 60% of attacked businesses close within six months.
The defense gap is real. Only 23% of small business owners say they feel very prepared to handle a cyberattack. 74% self-manage their cybersecurity or rely on an untrained friend or family member. Meanwhile, AI is making attacks faster and cheaper to execute.
The good news: the same AI that makes attacks more dangerous is now making defense more accessible. If you have been putting off security because it felt like an enterprise-only concern, that excuse is gone.
Our take
Anthropic’s Firefox project is a proof of concept that matters beyond browser security. It demonstrates that AI-powered security auditing is no longer theoretical. It works, it is fast, and it is cheap enough that the economics now favor smaller organizations.
The bottom line: AI security tools are shifting from luxury to necessity. The businesses that adopt them early will be the ones still operating when the next wave of AI-powered attacks arrives.
What is missing from the conversation
- Software vendors need pressure too. Your point-of-sale company, your CRM provider, your website host — are they using AI to audit their own code? Start asking. If Anthropic can find 22 critical bugs in Firefox, imagine what is lurking in less scrutinized software.
- The $4,000 cost is the headline nobody noticed. Enterprise security audits cost $50,000 to $200,000. This AI found more bugs in two weeks for the price of a used laptop. That cost curve is heading toward zero.
Questions that remain
- Will AI security tools become standard in compliance frameworks like PCI-DSS or HIPAA?
- How quickly will insurance companies adjust premiums for businesses using AI-powered security monitoring?
What you should do
Immediate actions
- Update Firefox now. If you or your team use Firefox, make sure you are running version 148 or later. These vulnerabilities are patched, but only if you update.
- Enable automatic updates everywhere. Every browser, every operating system, every application. Patches move faster now because discovery moves faster. Manual update schedules cannot keep up.
- Run a basic security audit. You do not need to spend $4,000 on an AI audit. Start with the SBA’s cybersecurity planning tool and the FCC’s Small Biz Cyber Planner. Both are free.
- Turn on multi-factor authentication. On your email, your bank, your POS system, your website admin panel. 32% of 2025 breaches exploited compromised credentials — MFA stops most of those cold.
Watch for
- AI-powered security tools priced for SMBs. CrowdStrike Falcon Go, Norton Small Business, and Microsoft Defender for Business are already in this space. Expect more options at lower price points as AI drives down the cost of threat detection.
- Your software vendors announcing AI security audits. This should become a selling point. If a vendor is not investing in automated security testing, ask why.
Resources
- Anthropic’s Firefox security research — the full report
- Mozilla’s response and technical details
- 81% of small businesses were breached last year — our earlier deep dive on SMB cybersecurity
- Google API keys and Gemini security risks — another reason to audit your tech stack
The security gap is closing — but only if you act
AI is making both attacks and defenses faster. The Firefox project proves that AI-powered security testing works at scale and at a price point that would have been unimaginable two years ago. For small businesses, the question is not whether to take cybersecurity seriously. It is whether you will adopt these tools before attackers use them against you.
If you are unsure where your business stands on security, we can help you assess your AI and technology stack and build a plan that fits your budget.