As fears about
AI hacking capabilities grow, OpenAI on Monday made a slew of cybersecurity-focused announcements, including an improved version of its limited-access security-specialized model GPT-5.5-Cyber, expanded international work with governments and other institutions to give them “trusted access” to the company's latest cybersecurity-focused models, and releasing its Codex Security scanner as an app plugin.
As advances across the AI industry leave critical open source projects at increasing risk of falling behind, though, the company also said on Monday that it is launching an effort known as Patch the Planet, founded with the prominent research-focused security firm Trail of Bits and in collaboration with vulnerability management firms HackerOne and Calif.
The project has already begun its work offering free security consulting services to open source maintainers to not only help them find and patch vulnerabilities, but also support them in strengthening their codebases and incorporating AI security tools into their development process. The idea is to give individualized support to as many open source projects as possible to improve both their current security and longterm resilience in a way that will actually be sustainable.
“Patch the Planet is an internet-scale effort to help open source software get ahead of AI bug hunting tools,” says Trail of Bits CEO and cofounder Dan Guido. “But it's also an effort to help the open source community see the benefits and not just the downsides of AI coding tools.”
Open source developers—typically volunteers keeping critical and widely used software afloat with few resources—are often already struggling to keep up with bug reports. The rise of AI vulnerability hunting in recent months has, for many maintainers, made that backlog feel insurmountable as AI-generated slop reports stack up, making it difficult to prioritize and pulling already limited time and attention away from critical flaws.
Maintainers “do their work out of love of open source and now they’re stuck reviewing slop CVEs,” says OpenAI's cyber tech lead Fouad Matin. With Patch the Planet, he says, “what we’ve effectively done is make it as efficient from a token perspective as possible to reduce the burden for maintainers—code base assessments, validating potential reports, creating patches, and landing them. We want to offset costs, whether it's tokens or people power, to actually patch as much of the world of software as possible.”
Matin adds that for its Codex Security scanner, which has been in research preview since earlier this year, OpenAI has been subsidizing usage for both open source and private code “to the tune of 20 trillion tokens.”
More than 30 open source projects are already participating in Patch the Planet with more in the pipeline to start. To launch the project, Trail of Bits recently conducted a five day opening sprint in which it had 25 engineers, or roughly a fifth of its workforce, simultaneously working on collaborations with an array of maintainers. OpenAI and Trail of Bits say the project has already uncovered hundreds of bugs and produced dozens of patches in just its first week. And Guido says that with funding from OpenAI as well as unmetered model access, Trail of Bits plans to continue its intense commitment to Patch the Planet work long term.
“It’s so rare that we get the opportunity to work on large scale open source security issues,” Guido says. “And Patch the Planet is not a one size fits all. We speak to all the maintainers for every single project and figure out what their highest priorities are, whether it’s building better testing infrastructure or custom fuzzers or just cleaning up technical data across the project because that’s what’s going to make them work faster and operate faster and patch faster.”
Monday's announcements by OpenAI come as its competitor
Anthropic had to pull its new Fable 5 and Mythos 5 models off the market earlier this month amid fear from the Trump administration about AI cybersecurity capabilities. The White House decision to hit OpenAI with export controls on the models came after Anthropic publicly released the Mythos-grade Fable 5 with blocks on its advanced biological and cybersecurity capabilities—protections the administration feared were not adequate.
OpenAI's announcements on Monday, including the new checkpoint of GPT-5.5-Cyber, are all part of the company's limited “Trusted Access for Cyber” program and do not involve a public release. But with both Anthropic and OpenAI preparing for IPOs, competition clearly continues regardless of which products are currently on the market. In its GPT-5.5-Cyber announcement, for example, OpenAI points out that the model scores 85.6 percent on the benchmark assessment known as CyberGym, an improvement from a previous version of GPT-5.5-Cyber. The performance also beats Anthropic's Mythos 5, which
scored 83.8 percent.
Amid this AI cybersecurity race, the Five Eyes intelligence alliance warned in an unusual
joint statement on Monday that “frontier AI models are anticipated to exceed current industry expectations, fundamentally transforming both offensive and defensive cyber capabilities. The timeline is not years, it is months. … In this environment, cyber resilience is integral.”
For its part, Patch the Planet leaves participants with six months of free ChatGPT Pro and six months of Codex Security as well as infrastructure and workflow improvements that can be taken forward with an array of tools and human engineers.
“With Patch the Planet so far, only about half the time was spent finding bugs,” Trail of Bits’ Guido says. “We’re trying to find the most superficial, easily discoverable, most severe bugs and wipe them off the table, but the other half of the time we spent customizing agents to work on the code base so we can leave them behind and teach the maintainers how to use them.”
Update 6/22/26 at 1:05 pm ET: Added additional details about the Patch the Planet program.
<small>Source: Wired</small>
_.png)
