Firefox had more security vulnerabilities discovered last month than any month in the past year

Firefox had more security vulnerabilities discovered last month than any month in the past year. More than double the previous peak.

Most of those discoveries came from a single instance of Claude Code Security that Anthropic pointed at the Firefox codebase for two weeks. It found 22 vulnerabilities that survived decades of expert human review including 14 high severity, for about $4,000 in compute.

Finding more vulnerabilities doesn't mean less secure, as long as the right people find them first.

And right now, they're not.

Open source maintainers can't afford to run these tools. The companies building on top of their code mostly aren't funding it. And every commercial vendor in your stack inherits that same exposure through their dependency tree.

This isn't two separate problems. Your vendor's security posture and the health of the open source ecosystem are the same thing. No amount of AI scanning on proprietary code matters if the libraries underneath it are still getting audited the old way, or not at all.

As a community we need to figure out how to get AI security scanning to the dependency level. Whether that's OpenSSF expanding its mandate, labs offering free tiers for open source projects, or companies sponsoring scanning for the libraries they depend on. The mechanism matters less than the urgency.

This will get solved eventually. Either through coordinated investment or because the breach that forces it hasn't happened yet.

The question is whether we build the infrastructure proactively or wait for a Log4Shell scale event in the age of AI powered vulnerability discovery and exploitation to make the case for us.