As mentioned earlier, Mozilla’s characterization of vulnerability discovery through artificial intelligence as a game changer was met with massive, vocal skepticism in many quarters. Critics initially scoffed when Mozilla did not receive a CVE designation for any of the 271 vulnerabilities. Like many developers, Mozilla does not obtain CVE lists for internally detected security flaws. Instead, they are compiled into a single patch. Typically, reports detailing these “builds” in Bugzilla reports are hidden for a few months after the patch is fixed to protect those who delayed the patch. Now that Mozilla has revealed more of them, those same critics will no doubt claim that they too have been cherry-picked and gloss over less accurate results.
Of the 271 bugs detected using Mythos, 180 were high seconds, Mozilla’s highest designation for internally reported vulnerabilities. These types of vulnerabilities can be exploited through normal user behavior, such as browsing a web page. (Only the higher ranking, sec-critical, is reserved for zero-days.) Another 80 were sec-moderate, and 11 were sec-low.
Critics are right to continue to push back. Hype is the primary way AI companies inflate their already highly inflated valuations. Given Mozilla’s extensive praise for Mythos, it’s easy for the more credulous to wonder: what’s getting in return? Far from settling the debate, Thursday’s details will only fuel the debate.
To hear Grinstead tell it, however, the details are clear evidence of the utility of AI-assisted discovery, and Mozilla’s motivation is simple.
“People have been a little burned out by this mess over the last year, so we thought it was important to show some of our work, expose some of the mistakes, and talk about it in a little more detail to hopefully spur some action or continue the conversation,” he said. “There’s no marketing angle here. Our team has fully embraced this approach. We’re trying to get the message out about this technique in general, not any specific model provider or company or anything like that.”
