Something quietly historic happened this week: an AI model built by one company found critical security holes in the browser built by another, and nobody seemed particularly alarmed. Anthropic's Mythos has unearthed a wealth of high-severity bugs in Firefox, according to Mozilla's own security researchers. Meanwhile, Vercel's CEO Guillermo Rauch was quietly launching an open-source agentic security review orchestrator that found confirmed critical vulnerabilities in production open-source projects. The security perimeter is no longer patrolled by humans.
When the Auditor and the Codebase Share a Training Set
The deeper strangeness here is structural. A 2025 paper in IEEE Security and Privacy by Pearce et al. found that LLMs trained on public code repositories can identify vulnerability patterns at rates exceeding junior security engineers, but with systematic blind spots inherited from their training data. Which means Mythos finding Firefox bugs is not just impressive, it is also a mirror: the model is pattern-matching against every CVE it was ever trained on. The question is what it cannot see. TurboFund's Signal Report shows Vercel's Rauch among the high-conviction investor signals this week, with two separate flags on AI-powered DevSecOps tooling, suggesting capital is already reading this shift.
The Altman-Musk Trial as Bug Report
The OpenAI trial unfolding in parallel is its own vulnerability disclosure: a public audit of what happens when mission drift and market incentives collide inside an AI lab. Musk's core argument is that OpenAI's codebase, so to speak, has been compromised by commercial interest. The irony is that Anthropic, the nonprofit-adjacent competitor born from exactly that tension at OpenAI, is now the one finding the bugs in everyone else's software. The auditor has a history. The question is whether that history is a credential or a conflict.