OpenAI has launched Patch the Planet, a Daybreak initiative, developed in partnership with Trail of Bits to help maintainers strengthen the open-source software the world relies on.
It combines AI-assisted security research using its most cyber-capable models with expert human validation to not only identify vulnerabilities but also patch them effectively. Alongside, the initiative aims to help open-source maintainers develop patches and tests, build reusable workflows to strengthen long-term security practices.
Using AI-Powered Security with Human Expertise
Patch the Planet is here to address the growing cybersecurity challenge: while AI can discover vulnerabilities, open-source maintainers lack the resources to validate and fix the increasing number of reports. To reduce the burden, Trail of Bits security researchers review all AI-generated findings before they reach project maintainers.
The program also partners with organizations such as HackerOne and Calif for vulnerability triage, additional security research, and coordinated disclosure. Initial participants include open-source projects such as cURL, NATS Server, Python, and Sigstore, pyca/cryptography, aiohttp, and freenginx.
Early Results Showing Significant Impact
According to Trail of Bits, the initial phase involved security engineers working across 19 open-source projects using GPT-5.5-Cyber and Codex Security. The effort has uncovered hundreds of security issues and resulted in dozens of merged patches.
The initial sprint delivered reusable security infrastructure. It helped researchers build a fuzzing lab in less than one day, develop a reusable pipeline for finding variants of known vulnerabilities, and improve testing processes that previously took weeks or months.
The initiative also generated security assets, including threat models, CVE analysis pipelines, frameworks, and improved CI/CD workflows.
Some Major Vulnerabilities Identified Across the Software Stack
Patch the Planet is built on Daybreak work. OpenAI highlighted some recent vulnerability findings in widely used software in its Daybreak research efforts.
- GPT‑5.5‑Cyber scanned more than 30 million lines of code commits across 30,000+ codebase as its in research preview. It also flagged potential security issues and generated 8 kernel pointer information leaks (PoCs) in the Linux Kernel.
- A 23-year-old use-after-free privilege escalation vulnerability in the OpenBSD kernel implementation of System V semaphores.
- Alongside, researchers confirmed 34 vulnerabilities and produced 7 local privilege escalation PoCs across a FreeBSD campaign.
Additional discoveries included vulnerabilities in the network and browsers as follows:
Network:
- Identified vulnerable patterns in four of the six dnsmasq CVEs, which were later fixed in 2.92rel2.
- HTTP/2 Bomb, a denial-of-service technique affecting major HTTP/2 implementations, including NGINX, Apache IIS, and Pingora.
Browsers:
- Five vulnerabilities were found in Chrome’s V8 JavaScript engine, of which three were identified and fixed within days of being introduced.
- 10 exploitable Safari vulnerabilities were found and reported.
- OpenAI’s GPT-5.5-Cyber found a WebAssembly vulnerability in Firefox (CVE-2026-8390). Mozilla fixed the flaw in just two days before Pwn2Own Berlin, prompting five of the six registered Firefox entries at Pwn2Own Berlin to withdraw. No Firefox exploit was successfully demonstrated at the event.
OpenAI believes that securing open-source software is important and should be a shared responsibility. According to OpenAI’s statement, “The Patch the Planet initiative is designed to put that full defensive loop in service of maintainers: discovery, validation, severity review, disclosure, patch development, testing, and deployment.” This is just the start. The company aims to make the open-source community secure and reliable for all.
Visit our site here to stay informed with all the latest technology news as it happens!
Also Read:
Meet OpenAI’s GPT-5.5: Features, Pricing, Benchmarks & Real-World Use Cases Explained
