OpenAI has launched Patch the Planet, a security push that uses its GPT-5.5-Cyber model to find and fix bugs in open-source software, the company announced on Monday, 22 June 2026.
The initiative sits under OpenAI’s wider Daybreak cybersecurity programme and pairs the company’s models with human security engineers from the firm Trail of Bits, as reported by Engadget.
The pair work directly with open-source maintainers rather than dumping bug reports on them.
What Patch the Planet actually does
The workflow is hands-on from start to finish. The system finds a bug, gets it validated by a human expert, writes a patch, tests that patch and then helps push the fix into the project, all on the maintainer’s terms rather than over their heads.
At the centre of it sits GPT-5.5-Cyber, a version of OpenAI’s model tuned specifically for security work rather than general chat. Pairing that with experienced human reviewers is the part that matters, since an AI flagging a flaw is only useful if a person can confirm it is real.
In its first week, Trail of Bits engineers ran OpenAI’s Codex and GPT-5.5-Cyber models across 19 open-source projects.
They turned up hundreds of legitimate bugs and 51 confirmed issues, of which 19 had already been patched by the time the project went public.
The first round reads like a roll call of the software the internet quietly runs on. It includes cURL, the Go project, Python and python.org, the NATS server, pyca/cryptography, Sigstore, aiohttp and freenginx, all tools that sit deep inside countless apps and services.
Why the open-source security push matters
Open-source code is the backbone of modern software, yet much of it is maintained by tiny teams or lone volunteers with little time to chase obscure vulnerabilities.
That mismatch between how critical the code is and how thinly it is resourced is exactly the gap OpenAI is aiming at.
The launch lands against a noisy backdrop of breaches and ransomware hitting everything from universities to game studios, where a single unpatched flaw can cascade into millions of exposed records.
Tools that close holes before attackers find them are suddenly a much easier sell to nervous maintainers.
It also lets OpenAI cast its models as a defensive tool at a moment when AI is more often blamed for powering attacks. Showing the same technology hardening critical infrastructure is a useful counter-story while regulators and developers argue over how risky these systems really are.
OpenAI says the goal is to widen Patch the Planet well beyond the opening 19 projects, so the obvious question is how many maintainers actually opt in.
The next sign of whether it works will be the patch count climbing and bigger, busier projects signing up to the programme.
