More breathless, but vague praise for #Mythos.
-
More breathless, but vague praise for #Mythos. Now #mozilla's CTO has come out with a detail-free, hyperbole-laden blog post.
I can't get anything below the surface level on this blog post. Maybe I'm looking in the wrong places.
- The blog post itself contains no links or references (except a link to a prior blog post)
- The Firefox 150 release notes has zero mentions of #Claude, #Anthropic, or Mythos.
- The security advisories in Firefox 150 lists 41 bugs
- Anthropic is credited exactly 3 times.
- The blog post says This week’s release of Firefox 150 includes fixes for 271 vulnerabilities identified during this initial evaluation
- it is not clear why the blog says 271, the release lists 41 issues, and only 3 acknowledge Anthropic
- I've tried looking on Mozilla's bugzilla and I have no access to any bug that is named in those release notes. I can't even see the conversation, much less the code change.
How is someone supposed to put this blog post's claims into context?
@paco Every one of these stories, no matter the team, always reads like this, too. "The tool found and fixed X vulnerabilities for us!" Severity? Did a human ever confirm the vulnerability? How hard would it have been to find and why was nobody looking there? Don't worry your pretty little head.
If I know the industry, then this means that it filed a bunch of pull requests labeled "vulnerability" that didn't break the build.
-
@paco did you see what WolfSSL reported about their usage of Mythos?
@feld No. I haven’t seen ANYTHING written by someone whose fingers interacted with it. Read closely. Anthropic used Mythos. Not wolfSSL. All we (or they) get to see is the result.
In the original Mythos blog, Anthropic hired top security contractors for like 4 months to vet and write up 198 results. Like so many other AI things, they do not make clear the boundary between human and machine. They want you to think the machine did everything by itself. They leave out details.
-
Amusingly, this vulnerability was also fixed in #Firefox 150. And this is the kind of thing an LLM is not going to find.
https://fingerprint.com/blog/firefox-tor-indexeddb-privacy-vulnerability/
@paco I hear a lot of "zero-days found". More like zero-
How many PoC's did they actually demo much less have? A youtube of calc popping while some script runs in a terminal does not count. If I were them and I had found one solid RCE I am sure I'd be making much of it. Just a lot of noise at the moment. I can't believe someone would wilfully embarrass themselves and destroy their professional reputation by making false claims in front of the whole world though over some hype so...? -
More breathless, but vague praise for #Mythos. Now #mozilla's CTO has come out with a detail-free, hyperbole-laden blog post.
I can't get anything below the surface level on this blog post. Maybe I'm looking in the wrong places.
- The blog post itself contains no links or references (except a link to a prior blog post)
- The Firefox 150 release notes has zero mentions of #Claude, #Anthropic, or Mythos.
- The security advisories in Firefox 150 lists 41 bugs
- Anthropic is credited exactly 3 times.
- The blog post says This week’s release of Firefox 150 includes fixes for 271 vulnerabilities identified during this initial evaluation
- it is not clear why the blog says 271, the release lists 41 issues, and only 3 acknowledge Anthropic
- I've tried looking on Mozilla's bugzilla and I have no access to any bug that is named in those release notes. I can't even see the conversation, much less the code change.
How is someone supposed to put this blog post's claims into context?
@paco apparently the big number is because Firefox groups internally found vulns https://lobste.rs/c/nelno4
If you look up the CVEs they have Bugzilla search links with the 271 bugs being counted, but I couldn't view any of them yet so we still can't meaningfully verify the sus claims 🫤
-
More breathless, but vague praise for #Mythos. Now #mozilla's CTO has come out with a detail-free, hyperbole-laden blog post.
I can't get anything below the surface level on this blog post. Maybe I'm looking in the wrong places.
- The blog post itself contains no links or references (except a link to a prior blog post)
- The Firefox 150 release notes has zero mentions of #Claude, #Anthropic, or Mythos.
- The security advisories in Firefox 150 lists 41 bugs
- Anthropic is credited exactly 3 times.
- The blog post says This week’s release of Firefox 150 includes fixes for 271 vulnerabilities identified during this initial evaluation
- it is not clear why the blog says 271, the release lists 41 issues, and only 3 acknowledge Anthropic
- I've tried looking on Mozilla's bugzilla and I have no access to any bug that is named in those release notes. I can't even see the conversation, much less the code change.
How is someone supposed to put this blog post's claims into context?
I just asked Mozilla about this. Someone responded that internally found bugs like the 271 go into “roll-up” advisories with, each rollup providing a link to the bug list covered.
The 3 rollups are:
https://www.mozilla.org/en-US/security/advisories/mfsa2026-30/#CVE-2026-6784
https://www.mozilla.org/en-US/security/advisories/mfsa2026-30/#CVE-2026-6785
https://www.mozilla.org/en-US/security/advisories/mfsa2026-30/#CVE-2026-6786
When you look at these rollups they say that "Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code."
With no way of knowing how many vulnerabilities were truly severe and exploitable, I think Mozilla, like others gushing ab out LLM-assisted vuln finding, is denying us the data to assess the true value of Mythos.
-
I just asked Mozilla about this. Someone responded that internally found bugs like the 271 go into “roll-up” advisories with, each rollup providing a link to the bug list covered.
The 3 rollups are:
https://www.mozilla.org/en-US/security/advisories/mfsa2026-30/#CVE-2026-6784
https://www.mozilla.org/en-US/security/advisories/mfsa2026-30/#CVE-2026-6785
https://www.mozilla.org/en-US/security/advisories/mfsa2026-30/#CVE-2026-6786
When you look at these rollups they say that "Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code."
With no way of knowing how many vulnerabilities were truly severe and exploitable, I think Mozilla, like others gushing ab out LLM-assisted vuln finding, is denying us the data to assess the true value of Mythos.
@dangoodin @paco yeah I will be just call Dingo on this one.
-
I just asked Mozilla about this. Someone responded that internally found bugs like the 271 go into “roll-up” advisories with, each rollup providing a link to the bug list covered.
The 3 rollups are:
https://www.mozilla.org/en-US/security/advisories/mfsa2026-30/#CVE-2026-6784
https://www.mozilla.org/en-US/security/advisories/mfsa2026-30/#CVE-2026-6785
https://www.mozilla.org/en-US/security/advisories/mfsa2026-30/#CVE-2026-6786
When you look at these rollups they say that "Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code."
With no way of knowing how many vulnerabilities were truly severe and exploitable, I think Mozilla, like others gushing ab out LLM-assisted vuln finding, is denying us the data to assess the true value of Mythos.
@dangoodin @paco Mozilla has always been doing these “roll-up” advisories where the effort of proving exploitability (and consequently evaluating the risks) outweighed the effort of fixing the bug. So it isn’t really denying, they simply don’t know themselves.
A while ago I’ve asked about security bugs being opened with a significant delay (at the time it was several months). I was told that the issue is downstream projects that are slower to release updates than Firefox. Hopefully things improved since then but the essence is still: access to these bugs will be opened eventually, we just don’t know when exactly.
-
@feld No. I haven’t seen ANYTHING written by someone whose fingers interacted with it. Read closely. Anthropic used Mythos. Not wolfSSL. All we (or they) get to see is the result.
In the original Mythos blog, Anthropic hired top security contractors for like 4 months to vet and write up 198 results. Like so many other AI things, they do not make clear the boundary between human and machine. They want you to think the machine did everything by itself. They leave out details.
@paco ahh good point even WolfSSL's wasn't done by the team but by Anthropic -
@dangoodin @paco Mozilla has always been doing these “roll-up” advisories where the effort of proving exploitability (and consequently evaluating the risks) outweighed the effort of fixing the bug. So it isn’t really denying, they simply don’t know themselves.
A while ago I’ve asked about security bugs being opened with a significant delay (at the time it was several months). I was told that the issue is downstream projects that are slower to release updates than Firefox. Hopefully things improved since then but the essence is still: access to these bugs will be opened eventually, we just don’t know when exactly.
@WPalant @dangoodin @paco I don't think the suggestion is that rollups are in themselves a problem, the issue is that Mozilla is presenting it as ‘the magic box found almost 300 vulnerabilities! isn't it great!’, when in practice it's more like running clang's scan-build and reporting every warning.
Obviously all mishandled allocations are bugs, but not all those hits are going to be real, much less fit all but the most pedantic definition of ‘vulnerability’.
-
@WPalant @dangoodin @paco I don't think the suggestion is that rollups are in themselves a problem, the issue is that Mozilla is presenting it as ‘the magic box found almost 300 vulnerabilities! isn't it great!’, when in practice it's more like running clang's scan-build and reporting every warning.
Obviously all mishandled allocations are bugs, but not all those hits are going to be real, much less fit all but the most pedantic definition of ‘vulnerability’.
@WPalant @dangoodin @paco the impression people get, esp lay people, is that the all-knowing-machine found 300 ways to steal your firefox history, when in practice it's maybe a dozen really contrived ways to crash your tab.
Good to fix certainly, but not quite as impactful right?
-
@WPalant @dangoodin @paco the impression people get, esp lay people, is that the all-knowing-machine found 300 ways to steal your firefox history, when in practice it's maybe a dozen really contrived ways to crash your tab.
Good to fix certainly, but not quite as impactful right?
The fact that we are having this conversation is the essence of my point: they did not give enough info to understand what they said. And too many people fill in the gaps with a rosy picture. And neither Anthropic nor Mozilla mind.
In 3 or 6 months when we get the details and they’re underwhelming, it won’t matter. They got the publicity they needed. Cynical me says Anthropic timed any embargoes or disclosure dates to occur after they close whatever their next funding round is.
@zbrown @WPalant @dangoodin -
The fact that we are having this conversation is the essence of my point: they did not give enough info to understand what they said. And too many people fill in the gaps with a rosy picture. And neither Anthropic nor Mozilla mind.
In 3 or 6 months when we get the details and they’re underwhelming, it won’t matter. They got the publicity they needed. Cynical me says Anthropic timed any embargoes or disclosure dates to occur after they close whatever their next funding round is.
@zbrown @WPalant @dangoodin@paco @WPalant @dangoodin I concur, and it'd hardly be unprecedented a move right?
With the track record of LLM companies, and others in this space, I'm not sure it's even a particularly cynical read — just rational.
On the plus side in 6 months the bubble may have popped…
-
J jeppe@uddannelse.social shared this topic
