OpenAI launches Patch the Planet to fix open-source bugs
OpenAI launched 'Patch the Planet' on June 22, 2026, a Daybreak initiative built with Trail of Bits, HackerOne, and Calif to find and fix vulnerabilities in widely used open-source software using GPT-5.5-Cyber and expert human review. Early field results include 8 Linux kernel pointer-leak proof-of-concepts, 24 local privilege escalation exploits, over 10 exploitable Safari vulnerabilities, a Firefox WebAssembly CVE (CVE-2026-8390) patched before Pwn2Own, and four of six dnsmasq CVEs independently flagged before their public fix. Initial projects include cURL, Python, the Go project, aiohttp, Sigstore, and pyca/cryptography. Separately, Anthropic's Project Glasswing using Claude Mythos has uncovered more than 10,000 high-or-critical vulnerabilities across the most systemically important software, with that program now expanded to roughly 150 organizations in over 15 countries.
What happened
OpenAI announced Patch the Planet on June 22, 2026, a Daybreak initiative built with Trail of Bits to help open-source maintainers strengthen critical shared infrastructure. The program pairs AI-assisted security research using GPT-5.5-Cyber - OpenAI's most capable cybersecurity model, setting a new 85.6% benchmark on CyberGym - with full expert human review by Trail of Bits security engineers before any finding reaches a maintainer.
How it works
Each engagement begins with the maintainer defining scope and preferences. Trail of Bits engineers then investigate candidate vulnerabilities, validate confirmed issues, develop or refine patches, support testing, and coordinate disclosure through the project's own channels. Participants also receive Codex Security access, ChatGPT Pro accounts, and API credits. Initial projects include cURL, Python, the Go project, aiohttp, Sigstore, pyca/cryptography, NATS Server, Sigstore, and freenginx.
Early findings
Results already disclosed span every layer of the stack:
- •Linux Kernel: GPT-5.5-Cyber scanned 30+ million lines of code and generated 8 pointer-leak PoCs and 24 local privilege escalation exploit PoCs.
- •OpenBSD: A 23-year-old use-after-free in kernel System V semaphore handling confirmed exploitable for local privilege escalation to root.
- •FreeBSD: 34 confirmed vulnerabilities, 7 local privilege escalation PoCs.
- •dnsmasq: 4 of 6 CVEs later fixed in 2.92rel2 independently flagged beforehand.
- •Chrome: 5 exploitable V8 JavaScript engine vulnerabilities found and reported.
- •Safari: Over 10 exploitable WebKit vulnerabilities reported.
- •Firefox: A WebAssembly vulnerability (CVE-2026-8390) identified and patched by Mozilla two days before Pwn2Own Berlin, causing five of six registered Firefox entries to withdraw.
- •HTTP/2 Bomb: Calif used Codex to identify a denial-of-service technique affecting NGINX, Apache, IIS, and Pingora, estimated to affect 880,000+ internet-facing servers.
Parallel context
Anthropic's Project Glasswing, using Claude Mythos, has separately uncovered more than 10,000 high-or-critical vulnerabilities across systemically important open-source software, per Anthropic's own reporting. The program has been expanded to roughly 150 organizations in over 15 countries.
What to watch
Practitioners should track:
- •whether GPT-5.5-Cyber technical details and safety guardrails are published for broader use
- •how open-source maintainers adapt triage and disclosure pipelines to handle AI-accelerated discovery at scale
- •whether coordinated disclosure frameworks and false-positive filtering tooling become standard requirements for AI-driven security research programs
Scoring Rationale
A major frontier-model security initiative with independently verified, high-severity CVE findings across Linux, Chrome, Safari, Firefox, and core network infrastructure - directly actionable for security practitioners and open-source maintainers. The parallel Anthropic Glasswing expansion confirms this as a broad industry shift toward AI-assisted vulnerability discovery at scale, not a single-vendor announcement.
Practice interview problems based on real data
1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
