The project, built with security research firm Trail of Bits and supported by HackerOne, Calif, researchers and maintainers, shifts the focus from simply discovering vulnerabilities to landing tested patches in widely used software. It comes as artificial intelligence tools accelerate bug hunting, creating both opportunities for defenders and a heavier workload for maintainers already dealing with limited resources and large backlogs.
Patch the Planet is designed to pair AI-assisted security research with expert human review. Security engineers use OpenAI’s cyber-capable models and Codex Security to investigate possible vulnerabilities, filter out false positives, develop fixes, improve tests and coordinate disclosure through the channels preferred by each project. Maintainers remain responsible for accepting changes and deciding how fixes are released.
More than 30 open-source projects have committed to take part. Early participants include cURL, NATS Server, pyca/cryptography, Sigstore, aiohttp, the Go project, freenginx, Python and python. org. These projects sit inside critical layers of the digital economy, covering networking, cryptography, language infrastructure, software supply chains and web services used by companies, governments and individual developers.
Trail of Bits has put its security research organisation behind the first phase. Its engineers have worked full-time across 19 open-source projects using Codex and GPT-5.5-Cyber, identifying hundreds of security issues and merging dozens of patches. Some findings remain under coordinated disclosure, meaning technical details will be held back until fixes are available or maintainers complete their remediation process.
The initiative reflects a broader change in cybersecurity. Advanced models can now scan large codebases, reason through possible attack paths, generate proof-of-concept evidence in controlled settings and draft patches. That speed creates a new bottleneck: maintainers must still decide whether a finding is real, how serious it is, whether a patch breaks other functions, and how disclosure should be handled.
OpenAI’s Daybreak update also includes a wider launch of GPT-5.5-Cyber under a limited-access programme for trusted defenders, an updated Codex Security plugin and a partner programme that lets security firms integrate defensive models into their services. Codex Security has scanned more than 30 million commits across more than 30,000 codebases since its research preview began in March. Human reviewers have marked more than 70,000 findings as fixed, while the system has automatically identified more than 500,000 resolved findings.
OpenAI says GPT-5.5-Cyber achieved 85.6 per cent on CyberGym, compared with 81.8 per cent for GPT-5.5, and showed stronger results on other cyber benchmarks. The company is keeping access restricted because the same capabilities that help defenders find and patch flaws could help malicious actors discover attack paths at scale.
Patch the Planet tries to address one of the main complaints from open-source maintainers: automated reports can flood small teams with low-quality findings. The programme requires security researchers to reproduce evidence, remove duplicates, reassess severity and submit only confirmed issues. The model is intended to reduce “slop” vulnerability reports rather than add to them.
The early work has also produced infrastructure intended to outlast the first wave of fixes. Engineers have built fuzzing harnesses, differential-testing systems, historical-CVE analysis pipelines, threat models, expanded test suites and workflows for deduplication and false-positive filtering. In one case, a fuzzing lab covering dozens of entry points, variant builds and platforms was assembled in less than a day, work that would normally take weeks.
Daybreak’s broader testing has also examined operating systems, network software and browsers. The work has included analysis of Linux kernel components, local privilege escalation issues in FreeBSD, a long-standing OpenBSD kernel flaw, vulnerable patterns in dnsmasq, HTTP/2 denial-of-service behaviour affecting major server implementations, and exploitable bugs in browser engines.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
