OpenAI announced Patch the Planet, a Daybreak initiative built with Trail of Bits to help open-source maintainers strengthen critical software projects.
The initiative combines AI-assisted security research using OpenAI’s cyber-capable models with expert human review to identify, validate, and patch vulnerabilities.
OpenAI said AI is accelerating vulnerability discovery, but discovery alone does not protect users. Patch the Planet is designed to reduce the burden on maintainers by having security engineers review findings before they reach projects, help develop patches and tests, and create reusable workflows that can improve long-term security.
OpenAI is also partnering with HackerOne and Calif to support vulnerability triage, coordinated disclosure, and additional targeted vulnerability discovery efforts.
Each Patch the Planet engagement begins in consultation with maintainers. Security engineers work with project teams to understand their priorities and determine where support would be most useful, such as vulnerability validation, patch development, CI/CD improvements, or longer-term security engineering.
Initial participating projects include cURL, NATS Server, pyca/cryptography, Sigstore, aiohttp, the Go project, freenginx, Python, and python.org. These projects support widely used networking, cryptography, software supply chain, and language infrastructure.
Participating security researchers are equipped with OpenAI frontier models and Codex Security to support analysis, patch development, testing, and documentation. Participating projects receive access to ChatGPT Pro, conditional access to Codex Security, and API credits for open-source development, maintainer automation, and release workflows.
Trail of Bits has dedicated security engineers to work full time with Codex and GPT-5.5-Cyber across 19 open-source projects. OpenAI said the team has already identified hundreds of security issues and merged dozens of patches, with additional issues still undergoing coordinated disclosure.
The initial work also produced reusable security infrastructure, including fuzzing harnesses, historical CVE analysis pipelines, differential-testing systems, threat models, expanded test suites, and workflows for deduplication, false-positive filtering, severity correction, and patch generation.
OpenAI said the broader Daybreak work has found issues across operating systems, networks, and browsers, including Linux Kernel findings, an OpenBSD kernel use-after-free issue, FreeBSD vulnerabilities, dnsmasq vulnerable patterns, HTTP/2 Bomb, Chrome V8 vulnerabilities, WebKit issues affecting Safari, and a Firefox WebAssembly vulnerability that Mozilla patched before Pwn2Own Berlin.
The company said project-specific technical details will be shared later as testing, remediation, and coordinated disclosures progress.
OpenAI said Patch the Planet is intended to put the full defensive loop in service of maintainers, including discovery, validation, severity review, disclosure, patch development, testing, and deployment.
The initiative is expected to expand beyond the first sprint as more maintainers join and more technical reports are published.
