OpenAI's Daybreak Initiative Unveils "Patch the Planet" to Fortify Open-Source Security
The launch of OpenAI's Patch the Planet initiative signifies a critical shift in how AI is being deployed in cybersecurity, moving beyond mere vulnerability discovery to active, AI-assisted remediation. This collaborative effort with human experts and open-source maintainers addresses the growing bottleneck in patching, which is crucial for securing the foundational software infrastructure the world relies upon. By directly funding and equipping security researchers to work within open-source projects, OpenAI is making a tangible investment in the software supply chain, potentially setting a new standard for AI's role in defensive security.
By NeuraFeed
OpenAI has significantly expanded its Daybreak cybersecurity initiative with the launch of "Patch the Planet," a program designed to address the growing backlog of open-source software vulnerabilities. This new effort pairs advanced AI models like GPT-5.5-Cyber and the Codex Security plugin with human security experts to identify, validate, and directly assist in patching critical bugs. The initiative aims to shift the cybersecurity bottleneck from vulnerability discovery to efficient remediation, working collaboratively with open-source maintainers.
OpenAI's Daybreak Initiative Takes on Open-Source Security
OpenAI has launched a significant expansion of its cybersecurity initiative, Daybreak, introducing a new program called Patch the Planet to bolster the security of open-source software. This move comes as the company acknowledges that while AI is accelerating vulnerability discovery, the real challenge lies in efficiently patching these flaws before attackers can exploit them. The Daybreak initiative, first launched in May 2026, aims to embed frontier AI models into software security workflows from the earliest stages of development.
The core of Daybreak involves combining OpenAI models, the Codex Security tool, and strategic partnerships to support secure code review, threat modeling, patch validation, and remediation guidance. OpenAI emphasizes that Daybreak is built to accelerate the entire remediation loop: discovery, validation, severity review, disclosure, patch development, testing, and deployment.
Introducing "Patch the Planet" and AI-Powered Tools
The centerpiece of this expansion is Patch the Planet, an initiative co-founded with security firm Trail of Bits Inc. and in collaboration with HackerOne Inc. and Calif. This program funds expert security researchers and equips them with OpenAI's advanced models, including the newly released full version of GPT-5.5-Cyber, to work directly with open-source project maintainers. The goal is not just to find vulnerabilities, but to actively help develop and test patches, and coordinate disclosure.
GPT-5.5-Cyber is a specialized model for defensive security work, achieving an 85.6% score on CyberGym, OpenAI's internal benchmark for reproducing known software vulnerabilities. This represents a notable improvement over the standard GPT-5.5 model, which scored 81.8%. The Codex Security plugin, an application security agent launched in March 2026, also plays a crucial role by integrating vulnerability scanning directly into developer workflows. It can build threat models, identify vulnerabilities, determine code reachability, and generate targeted patches.
Collaborative Approach and Early Successes
OpenAI's approach with Patch the Planet is highly collaborative, with engagements beginning in consultation with maintainers to understand their project's specific needs. Security engineers review findings before they reach maintainers, aiming to reduce the burden on already stretched open-source teams. Trail of Bits has committed its entire security research organization to this effort, working across numerous projects.
Initial results from a five-day sprint across multiple projects have been promising, surfacing hundreds of issues and leading to the merging of dozens of patches. More than 30 open-source projects have committed to participate, including prominent names like cURL, Go, Python, Sigstore, and pyca/cryptography. Through its broader Daybreak research, OpenAI's models have also uncovered significant vulnerabilities, such as a 23-year-old use-after-free flaw in OpenBSD's kernel and multiple exploitable bugs in Chrome's V8 JavaScript engine and Safari's WebKit. Notably, a WebAssembly vulnerability found in Firefox with GPT-5.5 was patched just two days before Pwn2Own Berlin, leading to the withdrawal of five out of six registered Firefox entries.
