OpenAI Expands Cybersecurity Push With New Patch the Planet Initiative

OpenAI has launched Patch the Planet, a new initiative under its Daybreak program aimed at improving the security of widely used open-source software through AI-assisted vulnerability research and remediation. Developed with security firm Trail of Bits and supported by HackerOne and Calif, the effort combines OpenAI’s cyber-focused AI models with human security experts to identify, validate, and help fix software vulnerabilities.

The program is designed to address a growing challenge for open-source maintainers, who are increasingly dealing with large volumes of security reports while often operating with limited resources. Under Patch the Planet, security engineers review findings before they reach maintainers, assist with patch development and testing, and help coordinate disclosure through established project processes.

Trail of Bits has dedicated its security research organization to the initiative’s initial phase, working directly with participating projects to investigate vulnerabilities, develop fixes, and support remediation efforts. HackerOne and Calif are contributing vulnerability triage, coordinated disclosure services, and additional research support.

Patch the Planet engagements begin with consultations between security researchers and project maintainers. The collaboration can focus on areas ranging from vulnerability validation and patch creation to CI/CD improvements and broader security engineering work. Researchers then use OpenAI’s frontier models and Codex Security to analyze code, test potential issues, and support remediation efforts.

The first group of participating projects includes cURL, NATS Server, pyca/cryptography, Sigstore, aiohttp, the Go project, freenginx, Python, and python.org. OpenAI said these projects represent critical networking, cryptography, software supply chain, and programming language infrastructure used across a wide range of products and services.

Participating maintainers receive access to ChatGPT Pro, conditional access to Codex Security, and API credits that can be used for development, automation, and release workflows. Trail of Bits has also developed AI-assisted workflows for tasks such as vulnerability triage, deduplication, and patch generation that participating projects can adopt.

According to OpenAI, Trail of Bits has already assigned full-time security engineers to work with Codex and GPT-5.5-Cyber across 19 open-source projects. The company said those efforts have uncovered hundreds of security issues and resulted in dozens of merged patches, while additional findings remain in the coordinated disclosure process.

Beyond individual vulnerabilities, the project has also produced supporting security infrastructure, including fuzzing systems, historical CVE analysis pipelines, differential testing frameworks, threat models, expanded test suites, and workflows designed to reduce false positives and improve vulnerability assessment.

One example involved the creation of a fuzzing environment built with repeated Codex and GPT-5.5-Cyber runs. OpenAI said the setup covered dozens of entry points, build variants, platforms, and test seeds, and was completed in less than a day. Trail of Bits estimated the same work would typically require several weeks of manual effort.

Researchers also developed a system that analyzes historical CVEs, extracts vulnerability patterns, searches codebases for related flaws, and routes findings through automated validation and filtering stages before human review. OpenAI said the workflow uncovered additional issues across projects under evaluation.

Another area of focus was differential testing, where multiple implementations of the same protocol are compared under identical inputs to identify behavioral differences that may indicate vulnerabilities. OpenAI said Codex generated much of the required integration code, enabling teams to compress work that historically took weeks or months into a matter of days.

The company emphasized that every vulnerability report submitted to maintainers undergoes human review. Trail of Bits engineers verify evidence, remove duplicates, reassess severity levels, and confirm findings before maintainers are contacted. Maintainers retain authority over patch deployment decisions and disclosure timelines.

Patch the Planet builds on broader Daybreak research into AI-assisted cybersecurity. OpenAI disclosed several examples of vulnerabilities identified through those efforts, including findings involving the Linux kernel, OpenBSD, FreeBSD, dnsmasq, Chrome, Safari, and Firefox. Some of those findings have already been patched, while others remain subject to ongoing disclosure processes.

OpenAI said the initiative is intended to support the entire vulnerability management cycle, from discovery and validation to patch development, testing, disclosure, and deployment. As additional fixes are released and disclosure processes conclude, the company plans to publish more detailed technical reports covering specific findings, research methods, and security workflows developed through the program.

This analysis is based on reporting from OpenAI.

Image courtesy of OpenAI.

This article was generated with AI assistance and reviewed for accuracy and quality.