Amid concerns about AI models’ cybersecurity capabilities, OpenAI revealed an improved version of GPT-5.5-Cyber and its “Patch the Planet” initiative to fix open-source software bugs.
As fears about AI hacking capabilities grow, OpenAI on Monday made a slew of cybersecurity-focused announcements, including an improved version of its limited-access security-specialized model GPT-5.5-Cyber, expanded international work with governments and other institutions to give them “trusted access” to the company’s latest cybersecurity-focused models, and releasing its Codex Security scanner as an app plugin.
As advances across the AI industry leave critical open source projects at increasing risk of falling behind, though, the company also said on Monday that it is launching an effort known as Patch the Planet, founded with the prominent research-focused security firm Trail of Bits and in collaboration with vulnerability management firms HackerOne and Calif.
The project has already begun its work offering free security consulting services to open source maintainers to not only help them find and patch vulnerabilities, but also support them in strengthening their codebases and incorporating AI security tools into their development process. The idea is to give individualized support to as many open source projects as possible to improve both their current security and longterm resilience in a way that will actually be sustainable.
“Patch the Planet is an internet-scale effort to help open source software get ahead of AI bug hunting tools,” says Trail of Bits CEO and cofounder Dan Guido. “But it’s also an effort to help the open source community see the benefits and not just the downsides of AI coding tools.”
Open source developers—typically volunteers keeping critical and widely used software afloat with few resources—are often already struggling to keep up with bug reports. The rise of AI vulnerability hunting in recent months has, for many maintainers, made that backlog feel insurmountable as AI-generated slop reports stack up, making it difficult to prioritize and pulling already limited time and attention away from critical flaws.
Maintainers “do their work out of love of open source and now they’re stuck reviewing slop CVEs,” says OpenAI’s cyber tech lead Fouad Matin. With Patch the Planet, he says, “what we’ve effectively done is make it as efficient from a token perspective as possible to reduce the burden for maintainers—code base assessments, validating potential reports, creating patches, and landing them. We want to offset costs, whether it’s tokens or people power, to actually patch as much of the world of software as possible.”
Matin adds that for its Codex Security scanner, which has been in research preview since earlier this year, OpenAI has been subsidizing usage for both open source and private code “to the tune of 20 trillion tokens.”
More than 30 open source projects are already participating in Patch the Planet with more in the pipeline to start. To launch the project, Trail of Bits recently conducted a five day opening sprint in which it had 25 engineers, or roughly a fifth of its workforce, simultaneously working on collaborations with an array of maintainers. OpenAI and Trail of Bits say the project has already uncovered hundreds of bugs and produced dozens of patches in just its first week. And Guido says that with funding from OpenAI as well as unmetered model access, Trail of Bits plans to continue its intense commitment to Patch the Planet work long term.
“It’s so rare that we get the opportunity to work on large scale open source security issues,” Guido says. “And Patch the Planet is not a one size fits all. We speak to all the maintainers for every single project and figure out what their highest priorities are, whether it’s building better testing infrastructure or custom fuzzers or just cleaning up technical data across the project because that’s what’s going to make them work faster and operate faster and patch faster.”
