OpenAI has launched Patch the Planet, a cybersecurity initiative under its broader Daybreak program. The initiative pairs AI-powered vulnerability discovery with expert human security review to identify and patch critical flaws in open source software relied on by millions of developers and end users globally. OpenAI’s official Patch the Planet announcement
The initiative is built in partnership with security research firm Trail of Bits, and its initial sprint targets 19 high-profile open source projects. Named participating projects include the cURL library, Go programming language, Python runtime, and Sigstore software supply chain tooling.
As of the initiative’s launch, researchers have already identified hundreds of security issues across the targeted codebases, and dozens of patches have already been merged. Many additional fixes are currently undergoing coordinated disclosure with project maintainers ahead of public release.
Patch the Planet Operates on Maintainer-Led Collaboration
Every engagement under the initiative begins with direct consultation with a project’s maintainers to align on shared priorities. These priorities may include vulnerability validation, patch development, CI/CD pipeline hardening, or longer-term security engineering support. Trail of Bits has committed its entire security research organization to the initial surge, working directly with maintainers to investigate findings, develop and test fixes, and coordinate disclosure through each project’s established channels. OpenAI’s official Patch the Planet announcement
Beyond Trail of Bits, OpenAI is partnering with HackerOne and Calif to expand triage capacity, manage coordinated disclosure processes, and run additional targeted vulnerability discovery efforts. Participating projects receive access to ChatGPT Pro, conditional access to the Codex Security plugin, and API credits earmarked for core open source development work, maintainer automation tasks, and release workflow management. Initial participants span networking, cryptography, supply chain, and language infrastructure projects, with additional projects slated to join future rounds.
AI Tools Accelerate Audit and Patching Workflows
Security researchers working on Patch the Planet are equipped with OpenAI’s frontier models, including the specialized GPT-5.5-Cyber build and the Codex Security plugin, to accelerate every stage of the audit and patching process. OpenAI’s Daybreak program overview GPT-5.5-Cyber sets state-of-the-art performance on the CyberGym cybersecurity benchmark, scoring 85.6% on the evaluation.
Initial Sprint Delivers Reusable Security Infrastructure
Beyond project-specific fixes, the initial Patch the Planet sprint has produced a library of reusable security tooling that participating projects can use to continue improving their security posture long after the initial engagement concludes. This tooling includes fuzzing harnesses, historical CVE analysis pipelines, differential testing systems, expanded test suites, and automated workflows for deduplication, false-positive filtering, severity correction, and patch generation. OpenAI’s official Patch the Planet announcement
Early sprint results quantify the speed gains from pairing AI with human review. For example, a full fuzzing lab covering dozens of entry points, variant builds, and platforms was built in less than a day using repeated Codex /goal runs with GPT-5.5-Cyber. Trail of Bits estimates this same work would take at least several weeks to complete manually.
Specifically, a reusable pipeline for identifying variants of known CVEs ingests public vulnerability history, extracts attack patterns, searches target codebases for related flaws, and routes high-confidence findings to engineers for confirmation. This turns years of public CVE data into a repeatable cross-project audit strategy.
Differential testing across multiple implementations of the same protocol, which requires custom glue code to connect implementations to a common test harness, was completed in days rather than weeks or months after Codex generated and iterated on the required integration code.
The initiative directly addresses a documented pain point for open source maintainers: AI tools have accelerated vulnerability discovery, but most small maintainer teams lack the resources to triage, patch, and disclose the growing volume of reported flaws. By pre-triageing findings, developing patches, and delivering reusable tooling, Patch the Planet reduces the administrative and technical burden on maintainers rather than adding to it. OpenAI’s Daybreak program overview
This is a deliberate design choice OpenAI highlighted in its Daybreak program announcement, intended to avoid overwhelming the very teams the initiative aims to support. The maintainer-led consultation model also ensures security work aligns with each project’s specific needs and disclosure preferences. This avoids the common issue of uncoordinated vulnerability reports that can put users at risk before fixes are available.
Bottom line: Maintainers of widely used open source projects can apply for future Patch the Planet rounds to access free AI-audited vulnerability reports, pre-developed patches, and reusable security tooling, cutting the time and resource cost of addressing critical security flaws in their codebases.
