As mentioned earlier, Mozilla’s characterization of AI-assisted vulnerability discovery as a game changer has faced widespread, vocal skepticism in many quarters. Critics initially scoffed when Mozilla did not receive a CVE designation for any of the 271 vulnerabilities. However, like many developers, Mozilla does not obtain CVE listings for internally discovered security bugs. Instead, they are bundled into a single patch. Typically, the Bugzilla report details these “rollups” that remain hidden for several months after being fixed to protect those who are slow to patch. Now that Mozilla has revealed a dozen of them, those same critics will surely claim they were also hand-picked and hide the less accurate results.
Of the 271 bugs found using Mythos, 180 were SECOND-high, Mozilla’s highest designation for internally reported vulnerabilities. These types of vulnerabilities can be exploited through normal user behavior, such as browsing web pages. (The only higher rating, second-critical, is reserved for zero-days.) The other 80 were second-medium, and 11 were second-low.
Critics are right to push back. Hype is an important way to increase the already high valuations of AI companies. Given the widespread praise that Mozilla has given to Mythos, it’s easy for even more credulous people to wonder: What is it getting in return? Rather than settle the debate, Thursday’s details are likely to inflame further controversy.
However, to tell Grinstead, the details are clear proof of the usefulness of AI-assisted search, and Mozilla’s motivation is simple.
“People are a little upset by these reckless commitments of the past year, so we felt it was important to show some of our work, unpack some of the mess, and talk about it in a little more detail, to encourage some action or keep the conversation going,” he said. “There’s no kind of marketing angle here. Our team has fully embraced this approach. We’re trying to send a message about this technology in general, not about any specific model provider, company or anything like that.”
<a href