EPISODE · Jun 22, 2026 · 48 MIN
How Claude Mythos found a 15-year-old bug in Mozilla Firefox | Brian Grinstead
from How I AI · host Claire Vo
Brian Grinstead is a distinguished engineer at Mozilla, where he’s worked on Firefox and the web platform since 2013 (he joined to help launch Firefox DevTools). Recently he and his team pointed an agentic bug-finding pipeline at Firefox—a codebase with tens of thousands of files and tens of millions of lines of code—and shipped a record month of security fixes. The viral chart everyone saw gave the credit to Anthropic’s new Mythos model. Brian’s take is that the harness and pipeline did just as much of the work, and he walks through exactly how it runs and how anyone can build a starter version.What you’ll learn:How to build a basic bug-finding harness by running Claude Code or Codex with one prompt and the -p flag, no SDK requiredWhy pointing an agent at a whole codebase fails, and how an LLM judge can score and rank files before you spend any computeHow a verifier subagent kills false positives by catching the agent when it cheatsThe goal-loop pattern: give an agent a tightly scoped problem, a clear pass/fail signal, and let it retry far past the point a human would quitWhy teams that already invested in fuzzing, CI, and dev tooling are so far aheadHow to weigh model versus harness, and why Brian splits the credit close to 50-50How a non-engineer can reuse the same score, verify, and fix the loop for design quality, conversion rate, or tech debtWhy AI-generated patches still can’t ship on their own, and where humans stay in the loop—Brought to you by:WorkOS—Make your app enterprise-ready todayMetaview—The agentic recruiting platform for winning teams—In this episode, we cover:(00:00) Introduction to Brian Grinstead(02:43) The viral chart: Firefox Security Bug Fixes by Month(05:32) How the custom harness works(10:22) Goal loops and guardrails(14:45) How they built it(16:55) Real bugs, including a 15-year-old one(23:00) Open-sourcing it(26:26) Why humans still review every fix(32:30) Live demo and prioritizing files(40:18) Mobilizing the team and recap(42:33) Lightning round—Tools referenced:• Claude Code: https://claude.ai/code• Claude Agent SDK: https://code.claude.com/docs/en/agent-sdk/overview• Codex: https://openai.com/index/openai-codex/• OpenAI Agent SDK: https://developers.openai.com/api/docs/guides/agents• VS Code: https://code.visualstudio.com/• Docker: https://www.docker.com/• Firefox: https://www.mozilla.org/firefox/• Address Sanitizer: https://github.com/google/sanitizers• RLBox: https://rlbox.dev/—Other references:• Mozilla Bug Bounty Program: https://www.mozilla.org/security/bug-bounty/• Mozilla GitHub: https://github.com/mozilla—Where to find Brian Grinstead:LinkedIn: https://www.linkedin.com/in/bgrins/GitHub: https://github.com/bgrins—Where to find Claire Vo:ChatPRD: https://www.chatprd.ai/Website: https://clairevo.com/LinkedIn: https://www.linkedin.com/in/clairevo/X: https://x.com/clairevo—Production and marketing by https://penname.co/. For inquiries about sponsoring the podcast, email [email protected].
What this episode covers
Brian Grinstead is a distinguished engineer at Mozilla, where he’s worked on Firefox and the web platform since 2013 (he joined to help launch Firefox DevTools). Recently he and his team pointed an agentic bug-finding pipeline at Firefox—a codebase with tens of thousands of files and tens of millions of lines of code—and shipped a record month of security fixes. The viral chart everyone saw gave the credit to Anthropic’s new Mythos model. Brian’s take is that the harness and pipeline did just as much of the work, and he walks through exactly how it runs and how anyone can build a starter version.What you’ll learn:How to build a basic bug-finding harness by running Claude Code or Codex with one prompt and the -p flag, no SDK requiredWhy pointing an agent at a whole codebase fails, and how an LLM judge can score and rank files before you spend any computeHow a verifier subagent kills false positives by catching the agent when it cheatsThe goal-loop pattern: give an agent a tightly scoped problem, a clear pass/fail signal, and let it retry far past the point a human would quitWhy teams that already invested in fuzzing, CI, and dev tooling are so far aheadHow to weigh model versus harness, and why Brian splits the credit close to 50-50How a non-engineer can reuse the same score, verify, and fix the loop for design quality, conversion rate, or tech debtWhy AI-generated patches still can’t ship on their own, and where humans stay in the loop—Brought to you by:WorkOS—Make your app enterprise-ready todayMetaview—The agentic recruiting platform for winning teams—In this episode, we cover:(00:00) Introduction to Brian Grinstead(02:43) The viral chart: Firefox Security Bug Fixes by Month(05:32) How the custom harness works(10:22) Goal loops and guardrails(14:45) How they built it(16:55) Real bugs, including a 15-year-old one(23:00) Open-sourcing it(26:26) Why humans still review every fix(32:30) Live demo and prioritizing files(40:18) Mobilizing the team and recap(42:33) Lightning round—Tools referenced:• Claude Code: https://claude.ai/code• Claude Agent SDK: https://code.claude.com/docs/en/agent-sdk/overview• Codex: https://openai.com/index/openai-codex/• OpenAI Agent SDK: https://developers.openai.com/api/docs/guides/agents• VS Code: https://code.visualstudio.com/• Docker: https://www.docker.com/• Firefox: https://www.mozilla.org/firefox/• Address Sanitizer: https://github.com/google/sanitizers• RLBox: https://rlbox.dev/—Other references:• Mozilla Bug Bounty Program: https://www.mozilla.org/security/bug-bounty/• Mozilla GitHub: https://github.com/mozilla—Where to find Brian Grinstead:LinkedIn: https://www.linkedin.com/in/bgrins/GitHub: https://github.com/bgrins—Where to find Claire Vo:ChatPRD: https://www.chatprd.ai/Website: https://clairevo.com/LinkedIn: https://www.linkedin.com/in/clairevo/X: https://x.com/clairevo—Production and marketing by https://penname.co/. For inquiries about sponsoring the podcast, email [email protected].
NOW PLAYING
How Claude Mythos found a 15-year-old bug in Mozilla Firefox | Brian Grinstead
No transcript for this episode yet
Similar Episodes
Mar 31, 2026 ·54m
Mar 27, 2026 ·14m
Mar 24, 2026 ·42m
Mar 20, 2026 ·42m
Mar 17, 2026 ·41m
Mar 13, 2026 ·44m