OpenAI has expanded its Daybreak cybersecurity program, launching a major initiative called “Patch the Planet.” Developed in partnership with security firm Trail of Bits and in collaboration with HackerOne and Calif, the program focuses squarely on the massive bottleneck in open-source software security: patching vulnerabilities, rather than just generating endless bug reports.

The initiative targets systemically critical open-source software that underpins much of the digital world but is frequently maintained by small, thinly stretched teams.

1. Moving from “Findings to Fixes”

OpenAI points out that AI has made finding software flaws incredibly easy, but this has inadvertently buried open-source maintainers under a mountain of raw, often low-quality bug reports.

Patch the Planet fixes this by deploying a strict “human-in-the-loop” defensive pipeline.

  • The Process: OpenAI’s models flag vulnerabilities and draft potential fixes. Rather than flooding maintainers with these raw files, expert human security engineers from Trail of Bits review, validate, and deduplicate every finding first.
  • The Delivery: The engineers work directly with project maintainers to test the patches, improve continuous integration (CI/CD) pipelines, and securely coordinate public disclosures.

2. Supported Infrastructure & Tools

OpenAI is backing participating open-source projects with significant corporate resources:

  • The Hardware/Software Pack: Selected projects receive access to ChatGPT Pro, conditional access to Codex Security, and API credits to run automation scripts and release workflows.
  • The Models: Security researchers are equipped with OpenAI’s newly finalized, defensive-tuned GPT-5.5-Cyber model (which scored a high 85.6% on the CyberGym benchmark) alongside the updated Codex Security plugin to map attack paths and validate issues in controlled environments.

Initial participants include foundational internet, networking, language, and cryptographic infrastructure:

  • cURL
  • The Go project
  • Python & python.org
  • Sigstore
  • pyca/cryptography
  • aiohttp
  • NATS Server
  • freenginx

3. Early Successes

An initial five-day sprint conducted by Trail of Bits across 19 projects yielded massive immediate results, resulting in hundreds of discovered bugs, 64 pull requests, and dozens of successfully merged patches.

Notable early milestones from the broader Daybreak research include:

  • Fuzzing Labs in a Day: Researchers used GPT-5.5-Cyber to stand up complete fuzzing labs (automated software testing environments) in under 24 hours—a task that normally takes human experts two to three weeks.
  • The 23-Year-Old Bug: The system uncovered a 23-year-old “use-after-free” flaw hidden deep within the OpenBSD kernel.
  • Pre-Emptive Contest Fix: The tool identified a serious WebAssembly vulnerability in Firefox. Mozilla successfully patched the flaw (CVE-2026-8390) just two days before the Pwn2Own Berlin hacking competition, prompting five of the six registered contestants targeting Firefox to withdraw.
  • The “HTTP/2 Bomb”: In partnership with Calif, the system mapped a massive denial-of-service vulnerability affecting major web servers like NGINX, Apache, and IIS, estimated to impact over 880,000 internet-facing servers.

The Big Picture: This automated defense push comes amidst intense competition. Anthropic is running a parallel enterprise cybersecurity initiative code-named Project Glasswing (powered by its Claude Mythos model), which has reportedly uncovered more than 10,000 high-and-critical vulnerabilities across systemically important global software.