cd /news/ai-agents/how-claude-mythos-found-a-15-year-ol… · home topics ai-agents article
[ARTICLE · art-37046] src=lennysnewsletter.com ↗ pub= topic=ai-agents verified=true sentiment=↑ positive

How Claude Mythos found a 15-year-old bug in Mozilla Firefox | Brian Grinstead

Mozilla distinguished engineer Brian Grinstead and his team used an agentic bug-finding pipeline powered by Anthropic's Claude Mythos model to discover a 15-year-old bug in Firefox, contributing to a record month of security fixes. Grinstead credited the harness and pipeline equally with the AI model, detailing how the system scores files, verifies results, and retries until bugs are found.

read2 min views5 publishedJun 22, 2026
How Claude Mythos found a 15-year-old bug in Mozilla Firefox | Brian Grinstead
Image: Lennysnewsletter (auto-discovered)

**Brian Grinstead **is a distinguished engineer at Mozilla, where he’s worked on Firefox and the web platform since 2013 (he joined to help launch Firefox DevTools). Recently he and his team pointed an agentic bug-finding pipeline at Firefox—a codebase with tens of thousands of files and tens of millions of lines of code—and shipped a record month of security fixes. The viral chart everyone saw gave the credit to Anthropic’s new Mythos model. Brian’s take is that the harness and pipeline did just as much of the work, and he walks through exactly how it runs and how anyone can build a starter version.

Listen or watch on YouTube, Spotify, or Apple Podcasts

What you’ll learn:

How to build a basic bug-finding harness by running Claude Code or Codex with one prompt and the -p flag, no SDK required

Why pointing an agent at a whole codebase fails, and how an LLM judge can score and rank files before you spend any compute

How a verifier subagent kills false positives by catching the agent when it cheats

The goal-loop pattern: give an agent a tightly scoped problem, a clear pass/fail signal, and let it retry far past the point a human would quit

Why teams that already invested in fuzzing, CI, and dev tooling are so far ahead

How to weigh model versus harness, and why Brian splits the credit close to 50-50

How a non-engineer can reuse the same score, verify, and fix the loop for design quality, conversion rate, or tech debt

Why AI-generated patches still can’t ship on their own, and where humans stay in the loop

Brought to you by:

** WorkOS**—Make your app enterprise-ready today

** Metaview**—The agentic recruiting platform for winning teams

In this episode, we cover:

([00:00](https://www.youtube.com/watch?v=Idjt53tTv2U)) Introduction to Brian Grinstead

([02:43](https://www.youtube.com/watch?v=Idjt53tTv2U&t=163s)) The viral chart: Firefox Security Bug Fixes by Month

([05:32](https://www.youtube.com/watch?v=Idjt53tTv2U&t=332s)) How the custom harness works

([10:22](https://www.youtube.com/watch?v=Idjt53tTv2U&t=622s)) Goal loops and guardrails

([14:45](https://www.youtube.com/watch?v=Idjt53tTv2U&t=885s)) How they built it

([16:55](https://www.youtube.com/watch?v=Idjt53tTv2U&t=1015s)) Real bugs, including a 15-year-old one

([23:00](https://www.youtube.com/watch?v=Idjt53tTv2U&t=1380s)) Open-sourcing it

([26:26](https://www.youtube.com/watch?v=Idjt53tTv2U&t=1586s)) Why humans still review every fix

([32:30](https://www.youtube.com/watch?v=Idjt53tTv2U&t=1950s)) Live demo and prioritizing files

([40:18](https://www.youtube.com/watch?v=Idjt53tTv2U&t=2418s)) Mobilizing the team and recap

([42:33](https://www.youtube.com/watch?v=Idjt53tTv2U&t=2553s)) Lightning round

Tools referenced:

• Claude Code: [https://claude.ai/code](https://claude.ai/code)

• Claude Agent SDK: [https://code.claude.com/docs/en/agent-sdk/overview](https://code.claude.com/docs/en/agent-sdk/overview)

• Codex: [https://openai.com/index/openai-codex/](https://openai.com/index/openai-codex/)

• OpenAI Agent SDK: [https://developers.openai.com/api/docs/guides/agents](https://developers.openai.com/api/docs/guides/agents)

• VS Code: [https://code.visualstudio.com/](https://code.visualstudio.com/)

• Docker: [https://www.docker.com/](https://www.docker.com/)

• Firefox: [https://www.mozilla.org/firefox/](https://www.mozilla.org/firefox/)

• Address Sanitizer: [https://github.com/google/sanitizers](https://github.com/google/sanitizers)

• RLBox: [https://rlbox.dev/](https://rlbox.dev/)

Other references:

• Mozilla Bug Bounty Program: [https://www.mozilla.org/security/bug-bounty/](https://www.mozilla.org/security/bug-bounty/)

• Mozilla GitHub: [https://github.com/mozilla](https://github.com/mozilla)

Where to find Brian Grinstead:

LinkedIn: [https://www.linkedin.com/in/bgrins/](https://www.linkedin.com/in/bgrins/)

GitHub: [https://github.com/bgrins](https://github.com/bgrins)

Where to find Claire Vo:

ChatPRD: [https://www.chatprd.ai/](https://www.chatprd.ai/)

Website: [https://clairevo.com/](https://clairevo.com/)

LinkedIn: [https://www.linkedin.com/in/clairevo/](https://www.linkedin.com/in/clairevo/)

Production and marketing by [https://penname.co/](https://penname.co/). For inquiries about sponsoring the podcast, email [[email protected]](/cdn-cgi/l/email-protection).
source & further reading
lennysnewsletter.com — original article GLM 5.2: why I’m replacing Opus in Claude Code with this new model The new inner game: Your unfair advantage in the age of AI 🎙️ How I AI: How to write AI agent loops in Claude Code and Codex + How Claude Mythos found a 15-year-old bug in Mozilla Firefox
── more in #ai-agents 4 stories · sorted by recency
── more on @mozilla 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/how-claude-mythos-fo…] indexed:0 read:2min 2026-06-22 ·