OpenAI and Trail of Bits Launch Patch the Planet to Fix Open Source Bugs

In recent hours, OpenAI has announced Patch the Planet, an initiative developed in partnership with Trail of Bits as part of the Daybreak program, aimed at assisting maintainers of the most critical open source projects in discovering and fixing security vulnerabilities. The underlying idea is that frontier models have accelerated the discovery of bugs to such an extent that the critical point has shifted from finding flaws to producing fixes, with the risk of overwhelming often volunteer maintainers with reports.

The initiative's measures are reflected in the numbers from the first week, disseminated by Trail of Bits in its firsthand report: hundreds of bugs identified, 64 pull requests, and 51 issues opened on 19 projects, with 37 patches already integrated.

The technical engine is GPT-5.5-Cyber, which OpenAI describes as its most powerful model so far for finding and helping to correct software vulnerabilities, capable of deeply analyzing large codebases, validating results in a controlled environment, and developing patches. In one case documented by Trail of Bits, the model set up an entire fuzzing lab on its own: it compiled code with sanitizers, gathered a corpus of initial seeds, and wrote harnesses for a dozen entry points in less than a day—a task that, according to the company, would have taken a human expert between two to three weeks.

In parallel, an updated version of the Codex Security plugin has been released, offering in-depth scanning, severity-level reporting, attack path tracking, threat modeling, and generation of patches specific to individual codebases.

What Projects Receive

The mechanism stipulates that Trail of Bits security engineers review findings before they reach maintainers, collaborate on the development of patches and tests, and build reusable workflows to continue improving security even after the initial fixes.

Among the projects involved in the initial phase are cURL, NATS Server, pyca/cryptography, Sigstore, aiohttp, the Go project, freenginx, Python, and python.org. Participants receive access to ChatGPT Pro, conditional access to the Codex Security plugin, and API credits for open source development, maintainer automation, and release workflows. Over 30 projects have already joined, and the waiting list continues to grow.

The Daybreak Report

Patch the Planet is part of a program, Daybreak, which already has a robust track record. The program has produced 8 proof-of-concept information leaks on kernel pointers and 24 local privilege escalation exploits in the Linux kernel, a use-after-free vulnerability that remained hidden for 23 years in OpenBSD, 34 vulnerabilities in FreeBSD, 6 in dnsmasq, an HTTP/2 denial-of-service technique nicknamed Bomb effective against NGINX, Apache, IIS, and Pingora, 5 flaws in Chrome's V8 engine, 10 in Safari, and CVE-2026-8390 in Firefox. In addition, there is a 29-year-long vulnerability in the Squid web proxy (CVE-2026-47729, dubbed Squidbleed), capable of leaking HTTP requests from other users in clear text.

To track progress in real-time, Trail of Bits has built an internal bot, nicknamed Patchy, which announces every new discovery and every integrated patch on Slack. Currently, it is unclear how much of this pace is replicable for maintainers that are outside the initiative's perimeter, without dedicated engineers to filter reports upstream.