When we said that we found and fixed hundreds of bugs in Firefox using AI, people were skeptical and said: Where are the bugs?
-
When we said that we found and fixed hundreds of bugs in Firefox using AI, people were skeptical and said: Where are the bugs?
Well, here they are. We are unhiding 12 security bugs that are representative of the issues we have found.
https://hacks.mozilla.org/2026/05/behind-the-scenes-hardening-firefox/.
@freddy You fixed the bugs with AI too?
-
@freddy You fixed the bugs with AI too?
@yoasif You'll see attachments in some of the bugs. We asked the LLM to propose a patch, but it was real people who were assigned to the bug and they were of course free to pick a different approach.
As with all patches in Firefox, we need a human author and another human to review the patch. https://firefox-source-docs.mozilla.org/contributing/ai-coding.html
-
@yoasif You'll see attachments in some of the bugs. We asked the LLM to propose a patch, but it was real people who were assigned to the bug and they were of course free to pick a different approach.
As with all patches in Firefox, we need a human author and another human to review the patch. https://firefox-source-docs.mozilla.org/contributing/ai-coding.html
@freddy You are the ones fixing the bugs, but your comment is pretty ambiguous -- your initial post says the bugs were fixed by AI, and then you say that you need a human author to write and review the patch.
Which is it - is it a human author or an AI author?
If it is a human author, can you really say that it was fixed by AI?
-
@freddy You are the ones fixing the bugs, but your comment is pretty ambiguous -- your initial post says the bugs were fixed by AI, and then you say that you need a human author to write and review the patch.
Which is it - is it a human author or an AI author?
If it is a human author, can you really say that it was fixed by AI?
-
@HeNeArXn @freddy Touché! I understood that "using" AI gave you the result - the topline here does the same "found and fixed".
We know the Firefox team didn't find the bugs themselves - that was AI - and the initial post implied (to me) an equivalency between finding and fixing.
I hoped to understand how much the AI had contributed to fixing the bugs, but it seems like we'll have to see another blog post for that.
Basically, what does "using AI" mean when fixing these bugs.
-
@HeNeArXn @freddy Touché! I understood that "using" AI gave you the result - the topline here does the same "found and fixed".
We know the Firefox team didn't find the bugs themselves - that was AI - and the initial post implied (to me) an equivalency between finding and fixing.
I hoped to understand how much the AI had contributed to fixing the bugs, but it seems like we'll have to see another blog post for that.
Basically, what does "using AI" mean when fixing these bugs.
-
-
-
When we said that we found and fixed hundreds of bugs in Firefox using AI, people were skeptical and said: Where are the bugs?
Well, here they are. We are unhiding 12 security bugs that are representative of the issues we have found.
https://hacks.mozilla.org/2026/05/behind-the-scenes-hardening-firefox/.
@freddy Thanks for sharing and making those reports public early. Great insight into what's happening with browser VRPs.
Is Mozilla planning changes to the Firefox VRP in response to this, similar to recent changes to the Chrome VRP?
(Or have changes already been made? I'm not closely following the Firefox VRP, unfortunately.)
-
@freddy Thanks for sharing and making those reports public early. Great insight into what's happening with browser VRPs.
Is Mozilla planning changes to the Firefox VRP in response to this, similar to recent changes to the Chrome VRP?
(Or have changes already been made? I'm not closely following the Firefox VRP, unfortunately.)
-
@freddy Ah, forgot about those changes. (It's been a _very long_ 2 months.)
Reward amounts seem unchanged and Firefox still pays for reasonable moderate impact vulns, which is appreciated.
Hope reward amounts aren't lowered given the new landscape, especially since FF rewards were much lower than other browser VRPs (now about the same).
-
@freddy Ah, forgot about those changes. (It's been a _very long_ 2 months.)
Reward amounts seem unchanged and Firefox still pays for reasonable moderate impact vulns, which is appreciated.
Hope reward amounts aren't lowered given the new landscape, especially since FF rewards were much lower than other browser VRPs (now about the same).
@AlesandroOrtiz yeah, we will see how things go. Due to *gestures wildly* recent events, we also had a bit less submissions, so…
️ -
@AlesandroOrtiz yeah, we will see how things go. Due to *gestures wildly* recent events, we also had a bit less submissions, so…
️@freddy Less? That's very surprising.
Thought it would continue increasing despite *gestures wildly* everything.
-
@freddy Less? That's very surprising.
Thought it would continue increasing despite *gestures wildly* everything.
@AlesandroOrtiz @freddy I would expect to see a really big surge initially and then tail off unless there's some big step forward in tooling, be it LLM/ML related or other...then tail off again after each initial burst.
-
@AlesandroOrtiz @freddy I would expect to see a really big surge initially and then tail off unless there's some big step forward in tooling, be it LLM/ML related or other...then tail off again after each initial burst.
@skryking @AlesandroOrtiz less valid from bug bounty, given we found them first?
might change over time of course -
When we said that we found and fixed hundreds of bugs in Firefox using AI, people were skeptical and said: Where are the bugs?
Well, here they are. We are unhiding 12 security bugs that are representative of the issues we have found.
https://hacks.mozilla.org/2026/05/behind-the-scenes-hardening-firefox/.
-
R relay@relay.mycrowd.ca shared this topic
