• Home
  • Blog
  • OpenAI Is Sending Security Engineers to Fix the Internet’s Most Neglected Code

AI News

OpenAI Wants to Patch the Internet. It's Starting With 19 Projects.

Updated:June 23, 2026

Reading Time: 3 minutes
OpenAI Patch the Planet
  • Home
  • Blog
  • OpenAI Is Sending Security Engineers to Fix the Internet’s Most Neglected Code

AI News

OpenAI Is Sending Security Engineers to Fix the Internet’s Most Neglected Code

OpenAI Patch the Planet

Updated:June 23, 2026

Table Of Content
Heading 2 Example
Heading 2 Example
Copy of Posts - 2026

Written by:

Onome

Share 0
Post 0
Share 0

The company that builds AI also wants to patch the open-source software everything runs on. The name they picked for it? Patch the Planet.

Yes, that’s a Hackers reference. The 1995 movie. They know what they’re doing.

Announced Monday, Patch the Planet is a new initiative under OpenAI’s Daybreak cybersecurity program.

It pairs OpenAI’s most capable security model – GPT-5.5-Cyber —=0 with human engineers from Trail of Bits, a respected security firm.

Together, they’re working directly with open-source maintainers to find bugs, write patches, and actually merge fixes. Not just file reports and walk away.

That last part matters. The internet runs on open-source software maintained by small, stretched-thin teams of volunteers.

A Linux Foundation study cited by OpenAI found that 94% of widely used open-source projects had fewer than 10 developers responsible for over 90% of the code.

These are the people holding up critical infrastructure with duct tape and free time. AI just made their jobs harder by accelerating how fast vulnerabilities get discovered – without speeding up how fast they get fixed.

What’s Already Happened

Trail of Bits committed its entire security research organization to an initial sprint. In the first five days, they worked across 19 projects and turned up hundreds of security issues.

Sixty-four pull requests were submitted. Fifty-one issues were filed. Thirty-seven patches are already merged. Many more are still going through coordinated disclosure.

The early project list reads like a who’s-who of critical open-source infrastructure: cURL, Python, the Go project, aiohttp, Sigstore, pyca/cryptography, NATS Server, freenginx.

More than 30 projects have committed to participating. HackerOne and Calif are also involved in triage and disclosure.

Participating projects get access to ChatGPT Pro, conditional access to Codex Security, and API credits for development and release workflows.

Trail of Bits wasn’t just filing bug reports either. They contributed correctness fixes to RustCrypto’s big-integer library, supply-chain improvements to Python’s Windows release pipeline, and storage fixes in SimpleX.

Some of the best contributions, they say, weren’t even bug fixes – they were fuzzing harnesses, CI security scanning, and testing infrastructure that projects can reuse long after the sprint ends.

The Broader Daybreak Numbers

Patch the Planet is part of something bigger. OpenAI’s Daybreak program has been quietly racking up serious findings across the software stack.

In the Linux kernel, OpenAI’s models identified pointer information leaks and local privilege escalations.

In OpenBSD, they found a 23-year-old use-after-free bug – sitting in the kernel for over two decades, unnoticed.

In Chrome, researchers reported five exploitable bugs in the V8 JavaScript engine. More than 10 were found in Safari’s WebKit.

The Firefox story has the best timing.

OpenAI discovered a WebAssembly vulnerability using GPT-5.5-Cyber during safety evaluations. Mozilla patched it just two days before Pwn2Own Berlin – a major hacking competition.

Five of six registered Firefox exploit entries withdrew. No Firefox exploit was successfully demonstrated at the event.

Codex Security, the tool powering much of this work, has scanned over 30 million commits across 30,000+ codebases since its March research preview. Human reviewers have marked over 70,000 findings as fixed.

The Anthropic Angle Is Hard to Ignore

OpenAI isn’t saying this out loud, but the competitive framing is obvious.

Anthropic’s Mythos model has been widely described as the most cyber-capable AI system in existence – one that can find vulnerabilities and generate exploits.

That capability is exactly why the Pentagon has been so interested in it, and exactly why it makes people nervous.

OpenAI is flipping that narrative. Instead of building the sharpest attack tool, it’s positioning itself as the company that uses AI to defend. Patch the Planet doesn’t find bugs and walk away.

It finds bugs, validates them with human experts, writes the patches, tests them, and helps get them merged – all on the maintainer’s terms.

Whether that framing holds up long-term depends on execution. But the pitch is clear: our AI protects. Theirs worries people.

The Real Question

Can this scale?

Trail of Bits threw its entire research team at a five-day sprint and covered 19 projects. The open-source ecosystem has thousands of critical projects that need this kind of attention.

OpenAI hasn’t disclosed long-term funding plans or how it picks which projects get help.

The log4j incident from 2021 showed what happens when a single bug in a widely used library goes unpatched. One vulnerability. Millions of exposed systems.

The problem hasn’t gotten smaller since then. AI has made bug discovery faster, but the people who actually fix the code are still volunteers running on fumes.

Patch the Planet is a good start. Nineteen projects, hundreds of bugs, dozens of merged patches. The question is whether it becomes infrastructure or stays a sprint.


Tags:
AI development, AI Innovation, artificial intelligence
 Previous Article