271 bugs found in Firefox, zero written by a human attacker. What this means for the future of safe code + 2 prompts

Mozilla’s Mythos experiment reads, at first, like a cybersecurity story. Anthropic built Mythos for vulnerability research. Mozilla pointed it at Firefox. The previous AI scan, run with a general-purpose model, surfaced 22 security-sensitive bugs. One release cycle later, with the purpose-built model, the number was 271. The Firefox security team — a group that has spent two decades being skeptical about new tools — published the result with the kind of careful enthusiasm that means something has actually changed.

The 271 is striking. The story underneath it is bigger, and it is not really about cybersecurity at all. Software has always rested on a quiet assumption that human-written code is the trust anchor and machines are there to check it. Mythos is the first serious sign that the assumption is about to flip. Serious software in the next era may be generated, attacked, repaired, and verified by machines, while humans hold a different role entirely: defining what the system is allowed to mean.

If that flip is real, the standard of trust rises faster than most teams are ready for. Hand-written code without adversarial machine review starts to look incomplete. Codebases that were merely messy start to look structurally unsafe, because the tools that could make them safer cannot operate on a system nobody can read. There is a window to get ahead of this — short, uneven, and closing.

Here’s what’s inside:

• The inversion of authorship. Humans wrote, machines checked. Mythos starts to flip that. What it means when generated code becomes the more trusted version, not the less.

• When trust becomes scarce. Code is about to get cheap to produce and expensive to trust. The teams that win the next year are the ones that build for that gap on purpose.

• Comprehensibility as a security property. Why the next four to five months are a refactor window — and why teams that wait will discover their codebases are too tangled for the new tools to help.

• Where the timing lands. What this means if you are an individual contributor versus a team lead versus a CTO — and why the budget conversation is already late at the top of the org.

• Audit your readiness now. Two prompts that tell you whether your codebase is legible enough for the next generation of adversarial review tools, and whether your evals for AI-generated code are catching the right things.