Mozilla published a detailed engineering writeup this week describing how the Firefox security team used their preview access to Anthropic's Claude Mythos to locate and fix what they describe as hundreds of vulnerabilities inside the browser. The exact number matters less than the venue. Firefox is not a research codebase or a benchmark suite. It is production C++ shipping to roughly a quarter of a billion devices, audited continuously for two decades by some of the most experienced memory-safety engineers in the industry. The post is the first time a major frontier-model deployment has produced a public receipt at that scale, on that surface, written by the team that owns the code rather than the team that ships the model.

What makes the writeup matter is not the headline number but the texture. Mozilla is careful to describe how Claude Mythos was used as a force multiplier, not an oracle. Engineers wrote the prompts, validated the findings, wrote the patches, and decided which classes of bug were worth running the model against in the first place. The post reads like an internal tooling story, not a vendor case study. That is the right shape for a real receipt. The interesting question is no longer 'can AI find production-grade bugs' but 'what does a security org look like when one engineer with a frontier model audits surface area that used to take a team a quarter.'

On the same day, Jeff Kaufman published a thoughtful analysis arguing AI is breaking two vulnerability cultures at once — the responsible-disclosure culture that depends on attackers being scarce, and the open-source culture that depends on defenders being volunteer-rare. Both assumed that finding novel bugs in well-audited code took specialised, slow human effort. Both have priced their incentives, embargoes, and patch timelines around that assumption. If a competent operator with a Mythos-class model can independently rediscover a class of bug in an afternoon, the embargo window collapses, and the moral economy of disclosure has to be renegotiated under time pressure rather than at conferences.

Most of this week's coverage misses that the asymmetry is not symmetric. A defender running an internal audit compounds findings into long-lived patches and regression tests. An attacker running the same model has to weaponise, deliver, and avoid detection — every step of which is harder than finding the bug. Anthropic's own Claude Code sandbox-escape CVE landed this same week, which is a useful corrective: model-augmented systems are not invincible, and the security industry's instinct to treat AI as a single-vector threat will keep failing. The honest read is that the defensive surface gets cheaper to audit faster than the offensive surface gets cheaper to exploit, but only for teams that operationalise.

The working takeaway is operational, not philosophical. Security organisations that treat AI as a continuous internal capability — wired into CI, into triage, into postmortems — will compound an advantage over the next eighteen months that point-in-time audits cannot match. Vendors that publish the kind of receipt Mozilla just published will set the bar for what a credible production deployment looks like, and the absence of such a receipt should start to read as a tell. The conversation has moved past whether frontier models can do real security work. The question now is which orgs ship the disclosure cultures, the eval harnesses, and the deployment shapes that take that capability seriously.