Cloud Shifts

OpenAI expands patching to Python cURL Go

OpenAI expands patching to Python cURL Go

OpenAI’s new “Patch the Planet” effort, announced on June 22, pairs its GPT‑5.5‑Cyber model with a team of security engineers from Trail of Bits to hunt, validate and fix flaws in high‑profile open‑source projects.

Why the initiative matters for open‑source maintainers

Earlier this year, the cURL project halted its six‑year bug bounty program after an influx of low‑quality AI‑generated reports overwhelmed the small team that runs the software. “We need to make moves to ensure our survival and intact mental health,” project lead Daniel Stenberg said, noting a drop in the confirmed‑vulnerability rate to under 5 percent while triage times climbed.

HackerOne followed suit in March, pausing its internet bug bounty program for similar reasons. The problem is not a lack of bugs but a mismatch between the speed at which AI models can surface potential issues and the capacity of volunteer maintainers to review them.

How “Patch the Planet” is structured

The program claims to cover the full defensive loop: discovery, validation, severity review, disclosure, patch development, testing and deployment. More than 30 projects have signed up, including cURL, the Go runtime, Python, Sigstore, pyca/cryptography, NATS Server, aiohttp and freenginx.

Related: AMD Restores Ryzen Memory Encryption in July

Trail of Bits has dedicated its entire security research organization to the effort, creating a human‑review layer that sits between the AI model and project maintainers. Engineers reproduce evidence, check findings against project documentation, prune duplicates and reassess severity before sending a confirmed vulnerability and a validated patch to the maintainers.

“Patch the Planet is an internet‑scale effort to help open‑source software get ahead of AI bug‑hunting tools,” Trail of Bits CEO Dan Guido told Digital Trends. “It also shows maintainers the benefits of AI coding tools rather than only the downsides.”

Early results from the first sprint

In a five‑day sprint, the joint team generated hundreds of security issues and merged dozens of patches across 19 projects. The sprint also produced reusable security infrastructure—fuzzing harnesses, historical‑CVE analysis pipelines, differential‑testing systems and deduplication workflows—that participating teams can continue to use after the engagement ends.

The effort proved fast.

Trail of Bits estimates that building a comparable fuzzing lab manually would take several weeks; the sprint completed it in under a day. The rapid turnaround demonstrates how AI can accelerate certain phases of vulnerability research, provided a human filter removes false positives.

Related: Moonshot Achievement Unlocked: NASA’s Artemis II Mission Embarks on Historic Journey

Performance of GPT‑5.5‑Cyber

GPT‑5.5‑Cyber, a fine‑tuned variant of GPT‑5.5 designed for defensive security work, scored 85.6 percent on OpenAI’s CyberGym benchmark, outpacing the standard GPT‑5.5 (81.8 percent) and Anthropic’s Mythos 5 (83.8 percent). On ExploitGym, the model reached 39.5 percent versus 25.95 percent for the standard version, and on SEC‑bench Pro it scored 69.8 percent against 63.1 percent.

The AI scanned more than 30 million lines of Linux kernel code, producing eight pointer‑information‑leak proof‑of‑concepts and 24 local‑privilege‑escalation exploits. It also confirmed a 23‑year‑old use‑after‑free bug in OpenBSD’s System V semaphore handling and uncovered a WebAssembly vulnerability (CVE‑2026‑8390) that Mozilla patched two days before a major security competition.

Codex Security, the plugin layer beneath the model, has scanned over 30 million commits across 30 000 codebases since its research preview began in March 2026. Human reviewers have confirmed more than 70 000 findings as fixed, while the plugin automatically resolved more than 500 000 additional findings.

Access restrictions and partnerships

The system is not available through the regular ChatGPT interface. Access is limited to vetted security professionals via OpenAI’s Trusted Access for Cyber program, which requires phishing‑resistant account security, organizational verification and scoped usage controls.

Related: Xiaomi 17 Debuts Snapdragon 8 Gen 5, XRING Tech Strategy

The Daybreak Cyber Partner Program, announced alongside the model release, enrolls 28 security firms—including Accenture, Akamai, Cisco, Cloudflare, CrowdStrike, Darktrace, Fortinet, IBM, Okta, Palo Alto Networks, Proofpoint, SentinelOne, Wiz and Zscaler—to embed the technology in their products. Government partnerships span agencies in Australia, Canada, France, Germany, Japan, South Korea and EU institutions such as ENISA.

External perspective on the initiative

Industry analysts note a potential conflict of interest: OpenAI both accelerates vulnerability discovery and sells access to the remediation platform. One recent analysis described the situation as “security vendors becoming both the lab that sets the pace of the threat and the shop that sells the fix.” The real test, observers say, will be whether projects like Python and Go retain control over their code while benefiting from faster patch delivery.

Regulators are already paying attention. The Canadian Centre for Cyber Security warned in April 2026 that AI‑driven exploitation could outpace vendors’ ability to publish corrective measures. On the same day Patch the Planet was announced, Five Eyes intelligence agencies issued a joint statement that frontier AI models will transform offensive cyber capabilities “in months, not years.” The EU’s Cyber Resilience Act, set to enforce reporting of actively exploited vulnerabilities to ENISA within 24 hours, further raises the stakes for open‑source projects that underpin commercial software.

Looking ahead

Patch the Planet’s human‑review layer aims to prevent the flood of unfiltered AI reports that forced cURL to shut down its bug bounty program. Whether the initiative can sustain its early momentum and keep maintainers in the driver’s seat remains to be seen, but the partnership marks a notable shift in how the industry tackles the growing gap between AI‑driven discovery and the limited resources of open‑source maintainers.

Leave a Comment

Your email address will not be published. Required fields are marked *