Patch the Planet, OpenAI’s new initiative built with the security firm Trail of Bits, launched on Monday and points the company’s frontier AI at the open-source projects most of the internet quietly runs on. The first five-day sprint covered 19 projects and produced 64 pull requests, 51 filed issues, and 37 merged patches, with hundreds of additional findings still moving through coordinated disclosure. The full scope is laid out in the Patch the Planet announcement OpenAI published Monday.
The program landed the same afternoon the cybersecurity chiefs of the Five Eyes alliance released a joint statement warning that frontier AI is compressing the gap between vulnerability discovery and exploitation to ‘months, not years.’ OpenAI’s bet, spelled out in the announcement, is that pairing the same models with vetted human reviewers can move defenders first. The argument that maintenance is the real ceiling for open-source security, and that AI only widens it without extra hands, is the same point Microsoft’s recent open-source giveaways and the catch behind them makes about who actually pays to keep critical code alive.
Five Days, 19 Projects, Hundreds of Bugs
The first cohort spans cryptography, networking, language infrastructure, and software supply chain, the layers where a single bad day cascades into thousands of downstream products. Together they produced hundreds of new issues and dozens of merged patches in a single week.
The numbers, per Trail of Bits’ own write-up, are sharper than the prose suggests. Engineers opened 64 pull requests and filed 51 issues across the 19 projects, with 37 patches already merged and many more in flight. Several projects take reports through private channels such as HackerOne, GitHub security advisories, and mailing lists, so the public tally undercounts the work. The aim of Patch the Planet, Trail of Bits said, is to leave essential open-source projects measurably better off, with merges that go beyond bug fixes into new tests, fuzzing harnesses, supply-chain tooling, and features maintainers had been meaning to get to.
The maintainers responded in kind. The aiohttp team authored and merged all eight fixes within hours, seven of them inside a single five-hour window. The python.org team got a new zizmor-based CI workflow, tightened release-file validation, and SBOM sidecars for Windows artifacts. The RustCrypto project received correctness fixes to a big-integer library that higher-level cryptography builds on, plus feature work on serde encoding and HPKE DHKEM suite IDs. The work landed where it should, in the projects themselves, with the maintainers driving what shipped.
The Stack the AI Walked
The program did not stop at one layer. Across operating systems, network software, and browser engines, the team produced a documented finding at each stop, and the spread is the point.
On operating systems, the haul was substantial. In the Linux kernel, GPT-5.5-Cyber combed more than 30 million lines of code and produced 8 kernel pointer information-leak proof-of-concepts and 24 local privilege-escalation exploits; hundreds more issues were identified, with the eight and twenty-four representing the subset for which PoCs were automatically generated. In OpenBSD, the AI surfaced a 23-year-old use-after-free in the kernel’s System V semaphore code that OpenAI researchers confirmed could let an unprivileged local user escalate to root. In FreeBSD, a broader campaign confirmed 34 vulnerabilities and produced 7 local privilege-escalation PoCs.
On browsers, the pace was just as aggressive. Chrome’s V8 JavaScript engine yielded 5 exploitable bugs, 3 of which were identified and remediated within days of being introduced, while Safari’s WebKit gave up over 10 exploitable bugs in roughly a week. Firefox contributed the cleanest single result: CVE-2026-8390, a WebAssembly flaw OpenAI Preparedness identified during safety evaluations, which Mozilla patched two days before Pwn2Own Berlin, prompting 5 of 6 registered Firefox entries to withdraw; no Firefox exploit was successfully demonstrated at the competition.
The network software fared no better. Calif used Codex to identify ‘HTTP/2 Bomb,’ a denial-of-service technique that hits NGINX, Apache, IIS, and Pingora, with the firm’s analysis suggesting more than 880,000 internet-facing sites were running affected server software with HTTP/2 enabled. Codex Security independently matched vulnerable patterns corresponding to 4 of the 6 dnsmasq CVEs later fixed in release 2.92rel2, including CVE-2026-4890, CVE-2026-4891, CVE-2026-4892, and CVE-2026-5172.
| Target | Finding |
|---|---|
| Linux Kernel | 8 kernel pointer info-leak PoCs, 24 LPE exploits in 30M+ lines of code |
| OpenBSD | 23-year-old use-after-free in System V semaphores, local user to root |
| FreeBSD | 34 confirmed vulnerabilities, 7 LPE PoCs |
| Chrome V8 | 5 exploitable bugs, 3 patched within days of introduction |
| Safari WebKit | 10+ exploitable bugs in roughly one week |
| Firefox | CVE-2026-8390 WebAssembly flaw, patched 2 days before Pwn2Own Berlin; 5 of 6 entries withdrew |
A Fuzzing Lab Built in a Day
The headline engineering claim is that humans, paired with frontier models, can compress weeks of work into hours. Given a narrow goal and no instructions on how, GPT-5.5-Cyber decided reading the source of one of the most-reviewed C libraries in existence was a poor use of tokens and stood up a full fuzzing lab in under a day, per Trail of Bits’ own write-up of the first week. The build included sanitizer and variant builds, a seed corpus drawn from existing tests, and harnesses across a dozen entry points; Trail of Bits estimated a human fuzzing expert would have needed two to three weeks.
The same week produced two more reusable pipelines. A CVE variant-analysis system, which ingests historical bug records and hunts for new flaws sharing the same root cause, was built in less than a day, and Trail of Bits called the models ‘especially effective at this kind of variant analysis’ with ‘almost exclusively high-signal’ output. Differential testing, which pits rival implementations of the same protocol against each other, ran in days rather than the usual weeks or months. The work also produced threat models, attack taxonomies, invariant tests, and SBOM sidecars, leaving several projects with stronger test coverage than they had when the sprint began.
Many maintainers are already being asked to sort through more reports, more quickly, with the same limited time and resources. Patch the Planet is built to reduce that burden, not add to it.
OpenAI put the principle plainly in its Patch the Planet announcement, and the model that built the lab, GPT-5.5-Cyber, is the same one OpenAI is releasing only through Trusted Access for Cyber, an identity-verified channel for vetted defenders. The bottleneck, the announcement argued, has moved from finding to fixing.
The 14 projects covered in the first sprint, with more on the waitlist:
- cURL
- NATS Server
- pyca/cryptography
- Sigstore
- aiohttp
- the Go project
- freenginx
- Python
- python.org
- urllib3
- PyPI
- SimpleX
- Valkey
- RustCrypto
The Same Afternoon, a Five Eyes Warning
The launch did not land in a vacuum. The Five Eyes alliance, the cybersecurity chiefs of the United States, the United Kingdom, Canada, Australia, and New Zealand, released a joint statement titled ‘The AI shift in cyber risk: why leaders must act now’ the same afternoon, warning that frontier AI is ‘lowering the barrier for malicious actors’ and that the timeline is months, not years. The Five Eyes advisory urged leaders to accelerate patching, address legacy systems, and integrate AI deliberately into defensive operations, and landed as a national-security complement to the commercial announcements OpenAI was making the same hour.
OpenAI, for its part, confirmed ongoing collaboration with the Center for AI Standards and Innovation (CAISI) on pre-deployment testing for GPT-5.5 and GPT-5.5-Cyber, and with the Office of the National Cyber Director and the Office of Science and Technology Policy on a recently signed Executive Order. Both moves point at the same conclusion: the defensive gap is already here.
OpenAI is not alone in showing what AI can do to mature codebases. Anthropic’s own write-up of its Firefox work documents how Claude Opus 4.6 helped Mozilla find 22 vulnerabilities in Firefox 148, 14 of them high-severity, almost a fifth of all high-severity Firefox bugs remediated in 2025. The newer Claude Mythos Preview then helped Mozilla identify and fix 271 security bugs in Firefox 150 in May 2026, and Anthropic has restricted Mythos through Project Glasswing because, the company says, the model is powerful enough to create real cyber risk if released broadly.
The Bet
The bet is structural. Research from the Linux Foundation and Harvard, cited in OpenAI’s Daybreak announcement, found that 94 percent of widely used open-source projects had fewer than ten developers responsible for more than 90 percent of the code added in a year. Frontier models can now generate vulnerability reports faster than those small teams can review them, which means flooding maintainers with AI-generated findings makes the security situation worse, not better. Patch the Planet is designed to flip that calculus: AI for discovery, Trail of Bits engineers for verification, the patch, and the disclosure, with the maintainer in control of what ships.
The numbers from Codex Security’s research preview, which launched in March and is detailed in the full Daybreak announcement covering Codex Security’s scale, sketch the size of the task. The cloud service has scanned more than 30 million commits across more than 30,000 codebases; human reviewers have manually confirmed more than 70,000 findings as fixed, and another 500,000-plus findings have been automatically verified as fixed. The constraint is now patching.
OpenAI is also expanding who gets access to the same tools. GPT-5.5-Cyber is rolling out through Trusted Access for Cyber to vetted government cybersecurity agencies in Australia, Canada, France, Germany, Japan, and South Korea, and to a Daybreak Cyber Partner Program of more than two dozen security vendors including Cisco, CrowdStrike, Palo Alto Networks, IBM, Cloudflare, and Fortinet. The plan, per the announcement, is ‘to put that full defensive loop in service of maintainers: discovery, validation, severity review, disclosure, patch development, testing, and deployment.’ The wager that holds the program together is simple: make defensive AI capability ordinary before attackers turn the same capability against the plumbing.
GPT-5.5-Cyber benchmark performance, per OpenAI’s Daybreak page:
- 85.6% on CyberGym, the benchmark that measures whether an agent can reproduce known vulnerabilities in software environments, vs 81.8% for GPT-5.5
- 39.5% on ExploitGym, which tests whether agents can turn known vulnerabilities into working exploits that achieve unauthorized code execution, vs 25.95% for GPT-5.5
- 69.8% on SEC-bench Pro, which evaluates long-horizon vulnerability discovery and proof-of-concept generation across complex software targets, vs 63.1% for GPT-5.5
Frequently Asked Questions
What is OpenAI’s Patch the Planet?
A program announced June 22, 2026, built with Trail of Bits, that uses GPT-5.5-Cyber and Codex Security to find vulnerabilities in critical open-source projects, then has human security engineers review, validate, and patch every finding before it reaches a maintainer. It is part of OpenAI’s wider Daybreak initiative and runs in collaboration with HackerOne and Calif.
Which open-source projects are involved?
Initial participants include cURL, NATS Server, pyca/cryptography, Sigstore, aiohttp, the Go project, freenginx, Python, python.org, urllib3, PyPI, SimpleX, Valkey, and RustCrypto. More than 30 projects have signed on, with a growing waitlist of additional projects behind them.
What did the AI find in the first sprint?
Eight kernel pointer information-leak PoCs and 24 local privilege-escalation exploits in the Linux kernel. A 23-year-old use-after-free in OpenBSD’s System V semaphore code that escalates an unprivileged local user to root. 34 vulnerabilities and 7 LPE PoCs in FreeBSD. Five exploitable Chrome V8 bugs, over 10 Safari WebKit bugs in roughly a week, and a Firefox WebAssembly flaw, CVE-2026-8390, that prompted 5 of 6 Pwn2Own Berlin entries to withdraw, with no Firefox exploit successfully demonstrated at the competition.
How is this different from a regular bug bounty?
The bottleneck is no longer discovery. Frontier models can produce more reports than small maintainer teams can review, and that gap is widening. Patch the Planet ships patches, not just bug reports, and routes every finding through a Trail of Bits security engineer before it reaches a maintainer. The aiohttp team merged all eight fixes within hours of disclosure, seven of them inside a single five-hour window.
Is the AI used safely?
GPT-5.5-Cyber is released only through OpenAI’s Trusted Access for Cyber program, an identity-verified channel for vetted defenders, and Anthropic has restricted its Claude Mythos Preview through Project Glasswing for similar reasons. The same-day Five Eyes warning made clear that the defensive gap, and the misuse risk, are both already here, and OpenAI framed Patch the Planet as a way to put the same capability in defenders’ hands first.
