When we said that we found and fixed hundreds of bugs in Firefox using AI, people were skeptical and said: Where are the bugs?

Reply to When we said that we found and fixed hundreds of bugs in Firefox using AI, people were skeptical and said: Where are the bugs? on Fri, 08 May 2026 04:01:01 GMT

endareth@disobey.net — Fri, 08 May 2026 04:01:01 GMT

@freddy Curious exactly how many critical/high #Firefox bugs were reported by #Mythos, vs how many were confirmed/accepted as such by your team?

Reply to When we said that we found and fixed hundreds of bugs in Firefox using AI, people were skeptical and said: Where are the bugs? on Thu, 07 May 2026 23:34:22 GMT

freddy@social.security.plumbing — Thu, 07 May 2026 23:34:22 GMT

RE: https://social.security.plumbing/@freddy/116534213887768480

@enigmatico

Reply to When we said that we found and fixed hundreds of bugs in Firefox using AI, people were skeptical and said: Where are the bugs? on Thu, 07 May 2026 22:16:02 GMT

freddy@social.security.plumbing — Thu, 07 May 2026 22:16:02 GMT

@skryking @AlesandroOrtiz less valid from bug bounty, given we found them first? might change over time of course

Reply to When we said that we found and fixed hundreds of bugs in Firefox using AI, people were skeptical and said: Where are the bugs? on Thu, 07 May 2026 20:13:15 GMT

skryking@infosec.exchange — Thu, 07 May 2026 20:13:15 GMT

@AlesandroOrtiz @freddy I would expect to see a really big surge initially and then tail off unless there's some big step forward in tooling, be it LLM/ML related or other...then tail off again after each initial burst.

Reply to When we said that we found and fixed hundreds of bugs in Firefox using AI, people were skeptical and said: Where are the bugs? on Thu, 07 May 2026 19:29:50 GMT

alesandroortiz@infosec.exchange — Thu, 07 May 2026 19:29:50 GMT

@freddy Less? That's very surprising.

Thought it would continue increasing despite *gestures wildly* everything.

Reply to When we said that we found and fixed hundreds of bugs in Firefox using AI, people were skeptical and said: Where are the bugs? on Thu, 07 May 2026 19:25:04 GMT

freddy@social.security.plumbing — Thu, 07 May 2026 19:25:04 GMT

@AlesandroOrtiz yeah, we will see how things go. Due to *gestures wildly* recent events, we also had a bit less submissions, so… ‍️

Reply to When we said that we found and fixed hundreds of bugs in Firefox using AI, people were skeptical and said: Where are the bugs? on Thu, 07 May 2026 19:16:02 GMT

alesandroortiz@infosec.exchange — Thu, 07 May 2026 19:16:02 GMT

@freddy Ah, forgot about those changes. (It's been a _very long_ 2 months.)

Reward amounts seem unchanged and Firefox still pays for reasonable moderate impact vulns, which is appreciated.

Hope reward amounts aren't lowered given the new landscape, especially since FF rewards were much lower than other browser VRPs (now about the same).

Reply to When we said that we found and fixed hundreds of bugs in Firefox using AI, people were skeptical and said: Where are the bugs? on Thu, 07 May 2026 18:58:05 GMT

freddy@social.security.plumbing — Thu, 07 May 2026 18:58:05 GMT

@AlesandroOrtiz https://attackanddefense.dev/2026/03/13/bug-bounty-program-updates-2026.html

Reply to When we said that we found and fixed hundreds of bugs in Firefox using AI, people were skeptical and said: Where are the bugs? on Thu, 07 May 2026 18:44:30 GMT

alesandroortiz@infosec.exchange — Thu, 07 May 2026 18:44:30 GMT

@freddy Thanks for sharing and making those reports public early. Great insight into what's happening with browser VRPs.

Is Mozilla planning changes to the Firefox VRP in response to this, similar to recent changes to the Chrome VRP?

(Or have changes already been made? I'm not closely following the Firefox VRP, unfortunately.)

Reply to When we said that we found and fixed hundreds of bugs in Firefox using AI, people were skeptical and said: Where are the bugs? on Thu, 07 May 2026 18:16:59 GMT

freddy@social.security.plumbing — Thu, 07 May 2026 18:16:59 GMT

@yoasif @HeNeArXn Yeah, I don't think we can share the tools but happy to answer questions

Reply to When we said that we found and fixed hundreds of bugs in Firefox using AI, people were skeptical and said: Where are the bugs? on Thu, 07 May 2026 17:18:39 GMT

yoasif@mastodon.social — Thu, 07 May 2026 17:18:39 GMT

@freddy @HeNeArXn The attachments show the result, not the process. People using the tools would be able to give us a better understanding of what is actually happening.

Reply to When we said that we found and fixed hundreds of bugs in Firefox using AI, people were skeptical and said: Where are the bugs? on Thu, 07 May 2026 17:15:18 GMT

freddy@social.security.plumbing — Thu, 07 May 2026 17:15:18 GMT

@yoasif @HeNeArXn You can just click the bugs and see the attachments?

Reply to When we said that we found and fixed hundreds of bugs in Firefox using AI, people were skeptical and said: Where are the bugs? on Thu, 07 May 2026 17:11:14 GMT

yoasif@mastodon.social — Thu, 07 May 2026 17:11:14 GMT

@HeNeArXn @freddy Touché! I understood that "using" AI gave you the result - the topline here does the same "found and fixed".

We know the Firefox team didn't find the bugs themselves - that was AI - and the initial post implied (to me) an equivalency between finding and fixing.

I hoped to understand how much the AI had contributed to fixing the bugs, but it seems like we'll have to see another blog post for that.

Basically, what does "using AI" mean when fixing these bugs.

Reply to When we said that we found and fixed hundreds of bugs in Firefox using AI, people were skeptical and said: Where are the bugs? on Thu, 07 May 2026 16:32:04 GMT

henearxn@chaos.social — Thu, 07 May 2026 16:32:04 GMT

@yoasif @freddy the original post says "using", not "by"?

Reply to When we said that we found and fixed hundreds of bugs in Firefox using AI, people were skeptical and said: Where are the bugs? on Thu, 07 May 2026 16:26:13 GMT

yoasif@mastodon.social — Thu, 07 May 2026 16:26:13 GMT

@freddy You are the ones fixing the bugs, but your comment is pretty ambiguous -- your initial post says the bugs were fixed by AI, and then you say that you need a human author to write and review the patch.

Which is it - is it a human author or an AI author?

If it is a human author, can you really say that it was fixed by AI?

Reply to When we said that we found and fixed hundreds of bugs in Firefox using AI, people were skeptical and said: Where are the bugs? on Thu, 07 May 2026 16:23:08 GMT

freddy@social.security.plumbing — Thu, 07 May 2026 16:23:08 GMT

@yoasif You'll see attachments in some of the bugs. We asked the LLM to propose a patch, but it was real people who were assigned to the bug and they were of course free to pick a different approach.

As with all patches in Firefox, we need a human author and another human to review the patch. https://firefox-source-docs.mozilla.org/contributing/ai-coding.html

Reply to When we said that we found and fixed hundreds of bugs in Firefox using AI, people were skeptical and said: Where are the bugs? on Thu, 07 May 2026 16:20:37 GMT

yoasif@mastodon.social — Thu, 07 May 2026 16:20:37 GMT

@freddy You fixed the bugs with AI too?