this post was submitted on 08 Mar 2026
21 points (83.9% liked)

Opensource

5718 readers
267 users here now

A community for discussion about open source software! Ask questions, share knowledge, share news, or post interesting stuff related to it!

CreditsIcon base by Lorc under CC BY 3.0 with modifications to add a gradient


founded 2 years ago
MODERATORS
pylapp@programming.dev
21
Mozilla partners with Anthropic to perform security audits on firefox (www.anthropic.com)
submitted 1 day ago* (last edited 1 day ago) by sga@piefed.social to c/opensource@programming.dev
8 comments fedilink hide all child comments
 

Can mozilla just stop doing whatever they are doing?

I personally do not use firefox (i use qutebrowser), but if it were not for some other things, firefox (or librewolf) would be my favorite browser. This does not directly affect me but this still seems so dumb.

for more context as to why this is not that good of an idea as it may seem - please look at curl project and barrage of false security reports made. and curl is a cli project which just handles many protocols, and does not practically do any processing. firefox and any modern browser is basically a operating system and even a hardware (in forms of wasm allowing you to run arbitrary assembly written in systems programming language).

If firefox pays for it, they would loose lots of money, and if anthropicdoes it for free, they get clout (for supporting open projects), and without doing something that productive, they just put more strain on firefox devs to handle with false positive reports.

I am not a time traveller, so can not tell how this will go, but it does not seem that good

you are viewing a single comment's thread
view the rest of the comments
[–] towerful@programming.dev 5 points 1 day ago* (last edited 1 day ago)

for more context as to why this is not that good of an idea as it may seem - please look at curl project and barrage of false security reports made. and curl is a cli project which just handles many protocols, and does not practically do any processing. firefox and any modern browser is basically a operating system and even a hardware (in forms of wasm allowing you to run arbitrary assembly written in systems programming language).

The difference is that anthropic did due diligence. They narrowed their scope as a research project to just the JS engine. They then fully vetted 1 issue, had a complete minimum-test-case that would reporoduce the issue, then contacted Mozilla with it.
Mozilla then said "send over the rest, vetted or not", who then vetted them all.
Mozilla's findings with the bugs found by Claude were fed back to anthropic to hone the model.

So, it's completely different that someone yeeting a codebase into an LLM and reporting whatever it spewed out.
Anthropic required Claude to actually produce an example exploit of it. And it REALLY struggled to do this. But it did get there eventually, for 1 bug. Which they then reported.
Even then, the exploit was in the JS engine. It wouldn't have escaped the sandbox to actually be an issue. Classic defence-in-depth

Shitty use of AI is fucking horrible. It wastes resources, it wastes time, it wastes energy.
I think this is a responsible use of an LLM in limited scope to produce an actually useful result.