2 min read AI-generated

OpenAI's 'Patch the Planet': AI Fixing Open-Source Holes at Scale

Copy article as Markdown

OpenAI is expanding its Daybreak cyber program: with the full version of GPT-5.5-Cyber and a new initiative called 'Patch the Planet', it wants to find and fix vulnerabilities in widely used open-source software. It's OpenAI's answer to Anthropic's Project Glasswing.

Featured image for "OpenAI's 'Patch the Planet': AI Fixing Open-Source Holes at Scale"

While Anthropic has spent months showing how well Claude finds security holes through Project Glasswing, OpenAI is catching up. On June 22 the company significantly expanded its cybersecurity program Daybreak — and launched ‘Patch the Planet’, an initiative aimed squarely at open-source maintainers.

What was announced

Three things at once: the full version of the specialized GPT-5.5-Cyber model, a Codex Security plugin (find, validate and fix vulnerabilities right inside Codex), and Patch the Planet itself — built with security firms Trail of Bits and HackerOne. The idea: pair AI-assisted vulnerability research with human expert review across the whole loop, from discovery through validation and disclosure to a tested patch.

The benchmarks make a statement. GPT-5.5-Cyber sets a new state of the art on CyberGym at 85.6 percent (GPT-5.5: 81.8 percent). The concrete results matter more: across the Linux Kernel, the model analyzed security-relevant components over more than 30 million lines of code and generated, among other things, 8 kernel pointer info-leak proof-of-concepts and 24 local privilege escalation exploits. Trail of Bits has put full-time engineers on 19 open-source projects — already surfacing hundreds of issues and merging dozens of patches.

The catch is still the catch

Let’s be honest: the exact model that finds and validates holes could also exploit them. OpenAI even publishes this on ExploitGym — GPT-5.5-Cyber turns known vulnerabilities into working exploits more reliably than its predecessor. That’s the dual-use reality of any good cyber model: defense and offense are the same skill, just pointed in different directions.

My take

What’s interesting here isn’t the single model — it’s the pattern. Anthropic and OpenAI are in an open race on AI cybersecurity: Glasswing versus Daybreak. And both have realized the biggest lever isn’t their own code but the open-source infrastructure half the internet runs on — often maintained by a few, overstretched volunteers.

If AI genuinely patches real holes at scale there, that’s a tangible win for everyone — including people who’ll never say a word about LLMs. As long as the defenders stay faster than the attackers. That’s the whole bet.

Sources: OpenAI: Patch the Planet, TestingCatalog, SecurityBrief