Patch the Planet: a Daybreak initiative to support open source maintainers

OpenAI Blog · 2026-06-22

OpenAI announces Patch the Planet, a Daybreak initiative with Trail of Bits, HackerOne, and Calif that uses GPT-5.5-Cyber and Codex Security to discover, validate, and patch vulnerabilities in widely used open-source projects including cURL, Python, Linux, Chrome, and Firefox.

Open original ↗

Appears in

AI as Attack Tool and Attack Target: May 2026 Cybersecurity Moment

Extraction

Topics: ai-cybersecurityopen-source-securityvulnerability-researchopenai-daybreakresponsible-disclosure

Claims

GPT-5.5-Cyber and Codex Security identified hundreds of security issues across major open-source projects including the Linux kernel, OpenBSD, FreeBSD, Chrome, Safari, and Firefox, with dozens of patches already merged.
Trail of Bits built a complete fuzzing lab covering dozens of entry points in under a day using Codex, a process estimated to normally take several weeks manually.
Human expert review is an essential and irreplaceable step because frontier AI models produce a high volume of false positives that would overwhelm maintainers if unfiltered.
GPT-5.5-Cyber identified a 23-year-old use-after-free vulnerability in OpenBSD's kernel implementation of System V semaphores enabling unprivileged local privilege escalation to root.
An HTTP/2 Bomb denial-of-service technique affecting NGINX, Apache, IIS, and Pingora was identified, with over 880,000 internet-facing websites running affected software.

Key quotes

AI is accelerating vulnerability discovery, but discovery alone does not protect users. Many maintainers are already being asked to sort through more reports, more quickly, with the same limited time and resources. Patch the Planet is built to reduce that burden, not add to it.

While frontier AI models are highly capable of finding vulnerabilities and patching them, they also produce a high volume of false positives that can contribute to the already overwhelming backlog maintainers are facing.

Open-source software is shared infrastructure. Securing it should be shared work. AI is changing the pace of vulnerability discovery, and the work now is to make sure the benefits reach the maintainers and users who need them most.