Industry
Ilya Kabanov

Mozilla's AI Vulnerability Win Only Works If You Are the Software

TL;DR Mozilla concluded "no category...humans can find that this model can't" and "defenders finally have a chance to win, decisively." True if you own your stack. For banks, hospitals, and utilities running vendor code they can't scan or patch, the same capability accelerates offense faster than defense reaches them.

Mozilla reported 22 bugs fixed in Firefox 148 with Opus 4.6 and 271 in Firefox 150 with Claude Mythos Preview. The story is real, but it is a piece, not the whole. Mozilla owns its code, runs the scanner, ships the fix, and updates 300M users inside a release cycle. That pipeline does not exist outside of vertically-integrated tech companies.

The contrarian view:

  1. Mozilla is celebrating a local win and calling it a global one, but the world is different outside of Silicon Valley. Non-tech companies don't own the source. They live with SAP, Workday, Oracle, Epic, ServiceNow, Siemens ICS, and a dozen apps whose vendors don't exist anymore, but the software manages a key machine on the manufacturing floor.
  2. Non-tech companies can't patch or even look. Source code is almost never available, and EULAs often forbid scanning binaries. They're at the mercy of a vendor, hoping that the vendor finds a vulnerability faster and gives time to patch. The compressing time-to-find and time-to-exploit, already under 24 hours, leaves no margin for this hope to materialize.
  3. Real attacks rarely happen because of just one vulnerability. An incident is usually a combination of factors, and integration is the weakest link. In real companies, software systems are deployed by consultants selected on the cheapest bid. They come and leave, the implementation degrades, and then an attacker with AI can compromise it in under a day. See the Gambit Security Mexico case.
  4. Vendor and customer incentives are misaligned. US software liability is near zero, but vendors carry the engineering cost. Security is becoming more expensive, and with its tokenization, the cost will continue to climb. Where will the vendor allocate the tokens? The next release, to survive the feature rat race, or security? You know the answer: they will show you a SOC2 report from Delve.
  5. Cyber insurance premiums will go up faster for non-tech. They have significantly less control over cyber risks and are exposed to significantly higher risks because of AI implementations. A regional bank's security team is a brave group of 12 underpaid and overworked analysts and jacks-of-all-trades. What are their chances in the battle against adversaries with AI?

Sources:

  1. Mozilla: AI Security and Zero-Day Vulnerabilities
  2. DeepDelver: Delve, Fake Compliance as a Service