OpenAI Launches Patch the Planet to Fix Open-Source Security at Scale, Releases GPT-5.5-Cyber Fully

OpenAI on Monday expanded its Daybreak cybersecurity initiative with two significant moves: the launch of Patch the Planet, a program to systematically find and fix vulnerabilities in widely used open-source projects, and the full public release of GPT-5.5-Cyber — previously available only to a limited set of vetted defenders. Together, the announcements position OpenAI as a significant player in proactive software security, not just AI development, as reported by SiliconAngle.

Patch the Planet is built in partnership with Trail of Bits, one of the security industry's most respected firms, along with HackerOne and Calif.io. The model is straightforward: GPT-5.5-Cyber scans open-source codebases for vulnerabilities at a speed no human team could match, and every finding is reviewed by a Trail of Bits security engineer before it is shared with a project maintainer. That human review step is intentional — it prevents AI-generated false positives from flooding maintainers with noise while they are already under-resourced.

More than 30 projects committed to participation at launch, including cURL, the Go project, Python's core library, Sigstore, and pyca/cryptography — projects that underpin enormous portions of the global software supply chain. An initial five-day sprint across 19 of those projects surfaced hundreds of potential issues and produced dozens of merged patches. One finding was particularly striking: a 23-year-old use-after-free flaw in OpenBSD's kernel, an operating system used in critical networking infrastructure, that had gone undetected since 2003. The sprint also identified issues in Chrome's V8 engine, Safari's WebKit, and Firefox.

The timing reflects a real and worsening problem. OpenAI cited research showing that 94 percent of widely used open-source projects have fewer than ten developers responsible for more than 90 percent of the code. Those small teams are responsible for maintaining software that runs inside browsers, cloud servers, routers, and operating systems used by billions of people — and they are routinely overwhelmed. Vulnerability discovery, accelerated by AI tools, is now outpacing the capacity of maintainers to review and patch what gets found. Patch the Planet is attempting to close that gap by pairing AI-assisted discovery with funded security expertise at the delivery end.

On the model side, GPT-5.5-Cyber scores 85.6 percent on the CyberGym benchmark, up from 81.8 percent for the general-purpose GPT-5.5, making it OpenAI's highest-performing model on security tasks. The full release moves it from a limited trusted-defender preview to broader availability for vetted security professionals, alongside a new Daybreak Cyber Partner Program that lets security vendors integrate the model into commercial products. Seven companies joined at launch — Cisco, CrowdStrike, IBM, and four others — embedding GPT-5.5-Cyber's capabilities directly into enterprise security tooling rather than requiring customers to use it through OpenAI's own interface.

OpenAI's Daybreak program has now expanded well beyond its original scope. What started as a focused effort to prevent misuse of AI for cyberattacks has grown into an offensive security capability (GPT-5.5-Cyber for finding vulnerabilities), an open-source patching infrastructure (Patch the Planet), and a commercial partnership layer (the Daybreak Cyber Partner Program). That scope expansion is notable because it moves OpenAI into territory previously occupied by dedicated security firms — using AI not just to make products smarter, but to actively improve the security of infrastructure it does not own or operate.

For open-source maintainers, the practical question is whether the program generates genuine value or creates additional overhead. OpenAI and Trail of Bits have been explicit that the human review requirement is non-negotiable — no finding goes to a maintainer without a security engineer having verified it first. The early sprint results, with dozens of patches already merged, suggest the pipeline is functional. Whether it scales to the full 30-plus project roster without degrading finding quality is the test that matters.