Firefox 150: When Defenders Win Decisively
271 vulnerabilities fixed. Team worked around the clock since February. This is the story of how defenders finally caught a glimpse of victory against the attacker advantage.
On this page
Firefox 150 just shipped with 271 vulnerabilities fixed. Two hundred and seventy-one. That number hit like a gut punch when the team first saw it. Claude Mythos Preview had scanned the codebase, and the findings were so overwhelming they briefly called it “vertigo”—which is apparently Mozilla speak for “we almost had to sit down.”
But they didn’t panic. They pivoted. Everything else got deprioritized. Single-minded focus. Around the clock since February. And this morning, they shipped it. Here’s what that actually means.
(This is a follow-up to my previous post about Mythos and the changing threat landscape. That one focused on the alarm bells. This one focuses on what happens when defenders actually execute.)
The moment defenders caught a break
For years, we’ve been playing a losing game. Attackers discover bugs faster than defenders can patch them. Attackers exploit chains that researchers didn’t know existed. Attackers find subtle memory corruption nobody saw coming. The gap’s been widening. Defenders were tired.
Then Mythos changed the equation.
See, elite human security researchers have a ceiling. Not because they’re not good—they’re brilliant—but because there are only so many hours in a day, so many people with the depth required, so many code paths you can read before your brain gives up. Mythos doesn’t have that ceiling. It can scan billions of lines of code the way you’d scan a paragraph. It finds categories of bugs that humans miss. It chains bugs together into attacks humans hadn’t imagined.
And here’s the part that matters: all those bugs exist today. They’re not new. They’re sitting in production browsers, operating systems, databases, right now. Mythos found 271 of them in Firefox alone. The team’s bet was simple: ship a version where all the findable bugs are found and fixed. Be first. Set the template.
They did it.
What “reprioritize everything” actually looks like
The Mozilla team’s been public about the impact: working “around the clock,” pushing literally everything else to a queue labeled “maybe later,” full sprint mode since February. That’s not hyperbole. That’s the weight of knowing your browser is the daily tool for 200 million people, and suddenly you’re looking at 271 unfixed security holes.
Here’s what that does to a team:
Engineers don’t sleep much. On-call rotations disappear because everyone’s on call. You stop arguing about the perfect solution and ship the working one. Code review becomes efficient—no bike-shedding, just “does this fix the bug and not introduce new ones?” Priorities collapse to a single line: close the gaps.
The vertigo fades into action.
By the end, you’ve got a release that represents not just patching, but comprehensiveness. 271 fixes isn’t a security update; it’s an audit. It says: “We found what’s findable at the frontier of AI-assisted security research, and we fixed it.” That’s a statement. That’s a line in the sand for what “secure” means in 2026.
The finite defects thesis: bold, grounded in data
Here’s the controversial claim the Mozilla team’s making: we can finally find them all.
Not eventually. Not theoretically. Now. With Mythos.
The argument goes like this. Vulnerability classes in a browser or OS aren’t infinite. Memory safety issues. Logic flaws. State confusion. Race conditions. Authentication bypasses. Crypto mistakes. These are bounded categories. Humans with expertise can find them, but slowly. Mythos finds them fast.
The 271 bugs fixed? None of them are “alien”—vulnerabilities that elite human researchers couldn’t have found. Mythos didn’t invent new classes. It applied superhuman patience and coverage to the existing categories. It’s the difference between “a human could find this if they spent three months on this subsystem” and “we did find it because we applied AI to it.”
That distinction matters.
Because if bugs are finite, and elite researchers (augmented by AI) can find them all, then the attacker advantage starts to evaporate. Attackers have been winning because defenders were always behind. Defenders didn’t have perfect information. Now, with Mythos scans becoming standard, defenders can have better information than attackers—at least for browsers, OSes, and critical infrastructure. The playing field doesn’t flip. But it stops tilting so hard.
It’s not magic. It’s data. It’s comprehensive. It’s finite.
What this means for the next release
Here’s what I think happens next, and you should watch for it: other browsers copy this playbook. The Chromium team. Safari. Everyone serious about security launches Mythos scans as part of their release cycle. It becomes table stakes.
And it should. Not because Mythos is perfect—no tool is—but because it changes the conversation from “how many bugs shipped” to “how many bugs did we find and fix before shipping?”
Defense in depth still matters. Sandboxes still matter. Rust code still helps (some memory bugs just don’t happen). Red teams still matter. But the vulnerability discovery bottleneck—the thing that’s been killing defenders for years—suddenly has a solution.
One thing defenders should do today
If you’re responsible for a product with source code: get Mythos scans running. Not because it’ll solve everything. But because it’ll find the things humans missed. And finding beats shipping.
We finally have a tool that matches the attacker advantage. It’s not a win yet. But it’s the first time I’ve seen defenders look like they have a chance.
Ship it.