www.it-connect.fr
Patch the Planet: OpenAI Puts AI to Work for Open Source Security
On June 22, 2026, OpenAI expanded its Daybreak cybersecurity program and unveiled a new initiative designed to secure the most popular open source projects: Patch the Planet.
Launched in mid-May 2026, Daybreak is OpenAI's answer to Anthropic's Glasswing project. In both cases, the finding is the same: AI models spot vulnerabilities faster than teams can fix them. The result is that developers are drowning in reports.
OpenAI therefore wants to tackle the remediation phase: validating a flaw, measuring its impact, developing and testing a fix, coordinating disclosure, and deploying the patch. The new versions of OpenAI's tools are focused on this part of the chain.
Table of Contents
Codex Security: 30 million commits scanned in three months
Codex Security, available in preview since March 2026, integrates directly into Codex to place, in OpenAI's words, the equivalent of a security engineer next to every developer. The tool is not just there to create alerts. It is there to understand the code, identify vulnerabilities, check whether the affected code is actually reachable through an attack path, gather validation evidence, produce a targeted fix, and then verify the result. It is meant to cover the full chain.
Figures highlighted by OpenAI since the March launch:
- More than 30 million commits scanned across more than 30,000 codebases,
- More than 70,000 findings marked as fixed by human reviewers,
- More than 500,000 findings determined to have been fixed automatically.
The plugin update adds useful workflows to streamline remediation, including deep scans, report generation with severity levels, and codebase-specific fix generation. What is interesting is that it can also help you sort and validate vulnerabilities identified with other tools, or even bug bounty reports.
Despite all these automated tasks that Codex Security can handle, OpenAI takes the opportunity to remind us that humans still make the final decision.
GPT-5.5-Cyber: 85.6% on CyberGym
Beyond Codex Security, OpenAI announced the full release of GPT-5.5-Cyber. This model is presented as OpenAI's most capable system for finding and helping fix software vulnerabilities, while preserving the overall performance of GPT-5.5.
On the benchmarks highlighted by the company, the gains are clear compared with GPT-5.5:
- CyberGym (reproducing known vulnerabilities): 85.6% versus 81.8%, the best score OpenAI has measured so far.
- ExploitGym (turning a known flaw into a functional exploit): 39.5% versus 25.95%.
- SEC-bench Pro (finding flaws and generating proof-of-concept material on complex targets): 69.8% versus 63.1%.
According to internal tests carried out by OpenAI (which should be taken with a grain of salt), GPT-5.5-Cyber would outperform Anthropic's Claude Mythos 5. If that is really the case, this is seriously impressive.
For now, access remains locked down. GPT-5.5-Cyber is being distributed through the Trusted Access for Cyber program, reserved for verified defenders whose missions require the most advanced capabilities. But even if OpenAI were to release this model to the general public, we can imagine the White House would still have something to say about it!
OpenAI, for its part, recommends sticking with GPT-5.5 paired with Codex Security. This combination has already helped identify and validate vulnerabilities in popular systems and software, including Firefox, the V8 JavaScript engine, Safari, OpenBSD, FreeBSD, and HTTP/2 implementations.
In any case, OpenAI is already working with France, unlike Anthropic: "Over the past month, we have already established Trusted Access for Cyber partnerships with Australia, Canada, France, Germany, Japan, the Republic of Korea, and European Union institutions such as ENISA.", reads the OpenAI press release.
Patch the Planet to support open source
The third area OpenAI addressed is Patch the Planet. This initiative funds expert researchers and the Codex Security teams to work with maintainers of widely used open source projects.
"Open source software is at the heart of many products, public services, developer tools, and critical infrastructures across every sector. A vulnerability in a widely used network library can affect thousands of downstream systems.", it says. OpenAI therefore wants to help secure the most popular open source projects, the ones that are most critical to the IT ecosystem.
More than 30 open source projects are said to have committed to participate, including cURL, Go, Python, Sigstore, and pyca/cryptography. Trail of Bits, which helped create this foundation alongside OpenAI, says it has mobilized its engineers across 19 projects. On the Trail of Bits website, you can also request to join the Patch the Planet program if you maintain an open source project.
