Since February, the Firefox team has been working around the clock using frontier AI models to find and fix latent security vulnerabilities in the browser.
Defenders finally have a chance to win, decisively
I’m curious how it will turn out to be in a long term. Are we going to have safer software? Because not only defenders will have a powerful tool, but attackers too. But at the same time, number of bugs is finite… Can we in theory one day achieve literally zero bugs in codebase?
Another factor Mozilla didn’t mention (and that Anthropic wouldn’t like to emphasize) is that major LLMs are pretty similar. And their development is way more conservative than you’d think. They use similar architectures and formats, train from the same data, distill each other, further pollute the internet with the same output and so on. So if (for example) Mozilla red teams with Mythos, I’d posit it’s likely that attacker LLMs would find the same already-patched bugs, instead of something new.
…So yeah. I’d wager Mozilla’s sentiment is correct.
Cyber security in general is going to get interesting. Breaking into protected systems often requires more patience than expertise. Attackers often get detected when they take short cuts because of laziness and overconfidence. AI agents have unfathomable patience and attention to detail.l
I don’t really agree with the attention to detail part from my experience. AI agents love to take shortcuts from what I’ve seen, and you have to pay a lot of attention to what they’re doing to make sure they do the right thing.
Not zero bugs, but it should help. A benefit for defenders is that they can use AI review on code before they make it public or release it in a stable release
I’m curious how it will turn out to be in a long term. Are we going to have safer software? Because not only defenders will have a powerful tool, but attackers too. But at the same time, number of bugs is finite… Can we in theory one day achieve literally zero bugs in codebase?
It does seem advantageous to the defender.
Another factor Mozilla didn’t mention (and that Anthropic wouldn’t like to emphasize) is that major LLMs are pretty similar. And their development is way more conservative than you’d think. They use similar architectures and formats, train from the same data, distill each other, further pollute the internet with the same output and so on. So if (for example) Mozilla red teams with Mythos, I’d posit it’s likely that attacker LLMs would find the same already-patched bugs, instead of something new.
…So yeah. I’d wager Mozilla’s sentiment is correct.
You can achieve zero bugs through liberal use of rm.
You can achieve the same effect with a hammer
Some LLMs will agree with you
Cyber security in general is going to get interesting. Breaking into protected systems often requires more patience than expertise. Attackers often get detected when they take short cuts because of laziness and overconfidence. AI agents have unfathomable patience and attention to detail.l
I don’t really agree with the attention to detail part from my experience. AI agents love to take shortcuts from what I’ve seen, and you have to pay a lot of attention to what they’re doing to make sure they do the right thing.
They have attention to detail, just not the right details. It’s super easy for them to get lost in a never ending train of tangents.
Not zero bugs, but it should help. A benefit for defenders is that they can use AI review on code before they make it public or release it in a stable release