Brian Grinstead is a distinguished engineer at Mozilla, where he’s worked on Firefox and the web platform since 2013 (he joined to help launch Firefox DevTools). Recently he and his team pointed an agentic bug-finding pipeline at Firefox—a codebase with tens of thousands of files and tens of millions of lines of code—and shipped a record month of security fixes. The viral chart everyone saw gave the credit to Anthropic’s new Mythos model. Brian’s take is that the harness and pipeline did just as much of the work, and he walks through exactly how it runs and how anyone can build a starter version.

What you’ll learn:

1. How to build a basic bug-finding harness by running Claude Code or Codex with one prompt and the -p flag, no SDK required
2. Why pointing an agent at a whole codebase fails, and how an LLM judge can score and rank files before you spend any compute
3. How a verifier subagent kills false positives by catching the agent when it cheats
4. The goal-loop pattern: give an agent a tightly scoped problem, a clear pass/fail signal, and let it retry far past the point a human would quit
5. Why teams that already invested in fuzzing, CI, and dev tooling are so far ahead
6. How to weigh model versus harness, and why Brian splits the credit close to 50-50
7. How a non-engineer can reuse the same score, verify, and fix the loop for design quality, conversion rate, or tech debt
8. Why AI-generated patches still can’t ship on their own, and where humans stay in the loop

—

Brought to you by:

WorkOS—Make your app enterprise-ready today

Metaview—The agentic recruiting platform for winning teams

—

In this episode, we cover:

(00:00) Introduction to Brian Grinstead

(02:43) The viral chart: Firefox Security Bug Fixes by Month

(05:32) How the custom harness works

(10:22) Goal loops and guardrails

(14:45) How they built it

(16:55) Real bugs, including a 15-year-old one

(23:00) Open-sourcing it

(26:26) Why humans still review every fix

(32:30) Live demo and prioritizing files

(40:18) Mobilizing the team and recap

(42:33) Lightning round

—

Tools referenced:

• Claude Code: https://claude.ai/code

• Claude Agent SDK: https://code.claude.com/docs/en/agent-sdk/overview

• Codex: https://openai.com/index/openai-codex/

• OpenAI Agent SDK: https://developers.openai.com/api/docs/guides/agents

• VS Code: https://code.visualstudio.com/

• Docker: https://www.docker.com/

• Firefox: https://www.mozilla.org/firefox/

• Address Sanitizer: https://github.com/google/sanitizers

• RLBox: https://rlbox.dev/

—

Other references:

• Mozilla Bug Bounty Program: https://www.mozilla.org/security/bug-bounty/

• Mozilla GitHub: https://github.com/mozilla

—

Where to find Brian Grinstead:

LinkedIn: https://www.linkedin.com/in/bgrins/

GitHub: https://github.com/bgrins

—

Where to find Claire Vo:

ChatPRD: https://www.chatprd.ai/

Website: https://clairevo.com/

LinkedIn: https://www.linkedin.com/in/clairevo/

X: https://x.com/clairevo

—

Production and marketing by https://penname.co/. For inquiries about sponsoring the podcast, email [email protected].