Summary
Anthropic’s March 2026 Mozilla write-up says Claude Opus 4.6 discovered 22 Firefox vulnerabilities over two weeks, including 14 that Mozilla assigned high severity. Anthropic says the team scanned nearly 6,000 C++ files and submitted 112 unique reports, with most issues fixed in Firefox 148.
The public advisory layer is broader than that single blog post. Mozilla’s Firefox 148 and Firefox 149 advisories directly credit researchers “using Claude from Anthropic” on 28 CVEs. VulnCheck independently audited the CVE records and arrived at the same Mozilla count.
Why this is grouped
Firefox 148 alone contains many individual CVEs with the same credit line. A single grouped ledger entry is more useful than dozens of nearly identical rows. The entry records the public CVE IDs and links to the primary Mozilla advisories so the attribution can be audited.
Caveat
The advisories credit researchers using Claude from Anthropic. They do not state that every CVE was autonomously found by a model. Anthropic’s primary write-up describes a researcher-in-the-loop process with validation, triage, and Mozilla maintainer review.
References
- Anthropic: Partnering with Mozilla to improve Firefox's security
- Mozilla MFSA 2026-13: Firefox 148
- Mozilla MFSA 2026-20: Firefox 149
- VulnCheck: Anthropic-credited CVEs
Catalogued in the Bugflation public ledger. Disagree with the attribution or severity label? Email the desk.