OpenAI Launches 'Patch the Planet' to Fix Open-Source Bugs

OpenAI on June 22 broadened its Daybreak cybersecurity push with Patch the Planet, an initiative aimed at dragging widely used open-source software from vulnerability reports to merged fixes — at machine speed. The launch pairs the full release of its specialized GPT-5.5-Cyber model with a new Codex Security plugin and a coalition of security firms, governments, and the maintainers who keep critical open-source projects alive.

Patch the Planet is being run with security firm Trail of Bits alongside HackerOne and Calif, funding researchers to work directly with maintainers. More than 30 open-source projects have committed to take part, with early participants including cURL, Go, Python, Sigstore, and pyca/cryptography — the kind of foundational libraries whose bugs ripple across the entire software supply chain. Trail of Bits says it has put engineers full-time on 19 of those projects, surfacing hundreds of security issues and merging dozens of patches, with more still under coordinated disclosure.

The numbers OpenAI is citing are meant to show the model earning its keep on defense. The full GPT-5.5-Cyber scores 85.6% on the CyberGym benchmark, up from 81.8% for the general GPT-5.5, and the Codex Security plugin has scanned more than 30 million commits across over 30,000 codebases since its March preview, automatically resolving over 500,000 findings. In one demonstration, Trail of Bits engineers used repeated Codex runs to stand up a full fuzzing lab in under a day — work they estimate would normally take weeks — and pointed the model at the Linux kernel, where it combed 30 million-plus lines of code and produced eight kernel pointer information-leak proofs-of-concept and 24 local privilege-escalation exploits.

Distribution runs through partners. OpenAI's Cyber Partner program lines up Accenture, Akamai, Check Point, Cisco, Cloudflare, CrowdStrike, IBM, and Palo Alto Networks to fold GPT-5.5-Cyber into their own offerings under the company's Trusted Access for Cyber framework — the same gated approach OpenAI used when it first opened GPT-5.5-Cyber to vetted defenders, designed to keep an offensively capable model in the hands of people fixing bugs rather than planting them. The effort also leans on government backing, with support from Australia, Canada, France, Germany, Japan, South Korea, and EU institutions including the cyber agency ENISA.

The framing OpenAI keeps returning to is asymmetry: defenders have always had to find every hole while attackers need only one, and the bet here is that automated, model-driven patching can finally tilt that math the other way. The harder question is whether the same capability that drafts a privilege-escalation exploit to prove a point stays pointed at defense — which is exactly why the gating, partners, and disclosure rules around this release matter as much as the benchmark scores.