How Claude Mythos found a 15-year-old bug in Mozilla Firefox | Brian Grinstead

Mozilla distinguished engineer Brian Grinstead and his team used an agentic bug-finding pipeline powered by Anthropic's Claude Mythos model to discover a 15-year-old bug in Firefox, contributing to a record month of security fixes. Grinstead credited the harness and pipeline equally with the AI model, detailing how the system scores files, verifies results, and retries until bugs are found.

Brian Grinstead is a distinguished engineer at Mozilla, where he’s worked on Firefox and the web platform since 2013 he joined to help launch Firefox DevTools . Recently he and his team pointed an agentic bug-finding pipeline at Firefox—a codebase with tens of thousands of files and tens of millions of lines of code—and shipped a record month of security fixes. The viral chart everyone saw gave the credit to Anthropic’s new Mythos model. Brian’s take is that the harness and pipeline did just as much of the work, and he walks through exactly how it runs and how anyone can build a starter version. Listen or watch on YouTube, Spotify, or Apple Podcasts What you’ll learn: How to build a basic bug-finding harness by running Claude Code or Codex with one prompt and the -p flag, no SDK required Why pointing an agent at a whole codebase fails, and how an LLM judge can score and rank files before you spend any compute How a verifier subagent kills false positives by catching the agent when it cheats The goal-loop pattern: give an agent a tightly scoped problem, a clear pass/fail signal, and let it retry far past the point a human would quit Why teams that already invested in fuzzing, CI, and dev tooling are so far ahead How to weigh model versus harness, and why Brian splits the credit close to 50-50 How a non-engineer can reuse the same score, verify, and fix the loop for design quality, conversion rate, or tech debt Why AI-generated patches still can’t ship on their own, and where humans stay in the loop Brought to you by: WorkOS —Make your app enterprise-ready today Metaview —The agentic recruiting platform for winning teams In this episode, we cover: 00:00 https://www.youtube.com/watch?v=Idjt53tTv2U Introduction to Brian Grinstead 02:43 https://www.youtube.com/watch?v=Idjt53tTv2U&t=163s The viral chart: Firefox Security Bug Fixes by Month 05:32 https://www.youtube.com/watch?v=Idjt53tTv2U&t=332s How the custom harness works 10:22 https://www.youtube.com/watch?v=Idjt53tTv2U&t=622s Goal loops and guardrails 14:45 https://www.youtube.com/watch?v=Idjt53tTv2U&t=885s How they built it 16:55 https://www.youtube.com/watch?v=Idjt53tTv2U&t=1015s Real bugs, including a 15-year-old one 23:00 https://www.youtube.com/watch?v=Idjt53tTv2U&t=1380s Open-sourcing it 26:26 https://www.youtube.com/watch?v=Idjt53tTv2U&t=1586s Why humans still review every fix 32:30 https://www.youtube.com/watch?v=Idjt53tTv2U&t=1950s Live demo and prioritizing files 40:18 https://www.youtube.com/watch?v=Idjt53tTv2U&t=2418s Mobilizing the team and recap 42:33 https://www.youtube.com/watch?v=Idjt53tTv2U&t=2553s Lightning round Tools referenced: • Claude Code: https://claude.ai/code https://claude.ai/code • Claude Agent SDK: https://code.claude.com/docs/en/agent-sdk/overview https://code.claude.com/docs/en/agent-sdk/overview • Codex: https://openai.com/index/openai-codex/ https://openai.com/index/openai-codex/ • OpenAI Agent SDK: https://developers.openai.com/api/docs/guides/agents https://developers.openai.com/api/docs/guides/agents • VS Code: https://code.visualstudio.com/ https://code.visualstudio.com/ • Docker: https://www.docker.com/ https://www.docker.com/ • Firefox: https://www.mozilla.org/firefox/ https://www.mozilla.org/firefox/ • Address Sanitizer: https://github.com/google/sanitizers https://github.com/google/sanitizers • RLBox: https://rlbox.dev/ https://rlbox.dev/ Other references: • Mozilla Bug Bounty Program: https://www.mozilla.org/security/bug-bounty/ https://www.mozilla.org/security/bug-bounty/ • Mozilla GitHub: https://github.com/mozilla https://github.com/mozilla Where to find Brian Grinstead: LinkedIn: https://www.linkedin.com/in/bgrins/ https://www.linkedin.com/in/bgrins/ GitHub: https://github.com/bgrins https://github.com/bgrins Where to find Claire Vo: ChatPRD: https://www.chatprd.ai/ https://www.chatprd.ai/ Website: https://clairevo.com/ https://clairevo.com/ LinkedIn: https://www.linkedin.com/in/clairevo/ https://www.linkedin.com/in/clairevo/ Production and marketing by https://penname.co/ https://penname.co/ . For inquiries about sponsoring the podcast, email email protected /cdn-cgi/l/email-protection .