OpenAI upgrades GPT-5.5-Cyber and launches Patch the Planet to secure open source software

OpenAI Launches Full-Scale Effort to Patch Open Source Bugs as It Takes on Anthropic's Mythos

As fears about AI hacking capabilities grow, OpenAI on Monday made a slew of cybersecurity-focused announcements, including an improved version of its limited-access security-specialized model GPT-5.5-Cyber, expanded international work with governments and other institutions to give them "trusted access" to the company's latest cybersecurity-focused models, and releasing its Codex Security scanner as an app plugin. As advances across the AI industry leave critical open source projects at increasing risk of falling behind, though, the company also said on Monday that it is launching an effort known as Patch the Planet, founded with the prominent research-focused security firm Trail of Bits and in collaboration with vulnerability management firms HackerOne and Calif. The project has already begun its work offering free security consulting services to open source maintainers to not only help them find and patch vulnerabilities, but also support them in strengthening their codebases and incorporating AI security tools into their development process. The idea is to give individualized support to as many open source projects as possible to improve both their current security and longterm resilience in a way that will actually be sustainable. "Patch the Planet is an internet-scale effort to help open source software get ahead of AI bug hunting tools," says Trail of Bits CEO and cofounder Dan Guido. "But it's also an effort to help the open source community see the benefits and not just the downsides of AI coding tools." Open source developers -- typically volunteers keeping critical and widely used software afloat with few resources -- are often already struggling to keep up with bug reports. The rise of AI vulnerability hunting in recent months has, for many maintainers, made that backlog feel insurmountable as AI-generated slop reports stack up, making it difficult to prioritize and pulling already limited time and attention away from critical flaws. Maintainers "do their work out of love of open source and now they're stuck reviewing slop CVEs," says OpenAI's cyber tech lead Fouad Matin. With Patch the Planet, he says, "what we've effectively done is make it as efficient from a token perspective as possible to reduce the burden for maintainers -- code base assessments, validating potential reports, creating patches, and landing them. We want to offset costs, whether it's tokens or people power, to actually patch as much of the world of software as possible." Matin adds that for its Codex Security scanner, which has been in research preview since earlier this year, OpenAI has been subsidizing usage for both open source and private code "to the tune of 20 trillion tokens." More than 30 open source projects are already participating in Patch the Planet with more in the pipeline to start. To launch the project, Trail of Bits recently conducted a five day opening sprint in which it had 25 engineers, or roughly a fifth of its workforce, simultaneously working on collaborations with an array of maintainers. OpenAI and Trail of Bits say the project has already uncovered hundreds of bugs and produced dozens of patches in just its first week. And Guido says that with funding from OpenAI as well as unmetered model access, Trail of Bits plans to continue its intense commitment to Patch the Planet work long term. "It's so rare that we get the opportunity to work on large scale open source security issues," Guido says. "And Patch the Planet is not a one size fits all. We speak to all the maintainers for every single project and figure out what their highest priorities are, whether it's building better testing infrastructure or custom fuzzers or just cleaning up technical data across the project because that's what's going to make them work faster and operate faster and patch faster." Monday's announcements by OpenAI come as its competitor Anthropic had to pull its new Fable 5 and Mythos 5 models off the market earlier this month amid fear from the Trump administration about AI cybersecurity capabilities. The White House decision to hit OpenAI with export controls on the models came after Anthropic publicly released the Mythos-grade Fable 5 with blocks on its advanced biological and cybersecurity capabilities -- protections the administration feared were not adequate. OpenAI's announcements on Monday, including the new checkpoint of GPT-5.5-Cyber, are all part of the company's limited "Trusted Access for Cyber" program and do not involve a public release. But with both Anthropic and OpenAI preparing for IPOs, competition clearly continues regardless of which products are currently on the market. In its GPT-5.5-Cyber announcement, for example, OpenAI points out that the model scores 85.6 percent on the benchmark assessment known as CyberGym, an improvement from a previous version of GPT-5.5-Cyber. The performance also beats Anthropic's Mythos 5, which scored 83.8 percent. Amid this AI cybersecurity race, the Five Eyes intelligence alliance warned in an unusual joint statement on Monday that "frontier AI models are anticipated to exceed current industry expectations, fundamentally transforming both offensive and defensive cyber capabilities. The timeline is not years, it is months. ... In this environment, cyber resilience is integral."

OpenAI rolls out more capable version of its cybersecurity model

Why it matters: Even as Anthropic remains in limbo with the U.S. government, the race to get advanced AI models into the hands of cyber defenders continues to heat up. Driving the news: OpenAI is updating its GPT-5.5-Cyber model -- which is only available to vetted cybersecurity companies and researchers -- so it is both "more permissive and more capable for advanced, authorized cybersecurity work," according to a blog post. * The updated model can perform deeper analysis across large codebases, identify security-relevant components, validate likely vulnerabilities, and develop and test software patches. * OpenAI says the updated GPT-5.5-Cyber achieved an 85.6% score on CyberGym, an internal benchmark that measures whether an AI agent can reproduce known software vulnerabilities in testing environments, compared with 81.8% for GPT-5.5. The big picture: OpenAI is expanding access to its cybersecurity tools at a time when policymakers are paying closer attention to how advanced AI systems are evaluated, tested and deployed. * AI developers face a difficult balancing act: getting powerful cyber capabilities into the hands of legitimate defenders and researchers while limiting opportunities for malicious use. Between the lines: OpenAI is also rolling out a series of new programs and capabilities designed to let vetted cybersecurity companies use its models to help secure customer environments. * The company is launching the OpenAI Daybreak Cyber Partner Program, which allows participating security vendors to use GPT-5.5 with Trusted Access for Cyber in the products and services they provide to customers. * OpenAI is also helping fund Patch the Planet, an initiative founded with Trail of Bits and developed in collaboration with HackerOne and Calif, aimed at helping open-source maintainers manage and remediate vulnerabilities identified with AI-assisted tools. What to watch: OpenAI says it has established partnerships with Australia, Canada, France, Germany, Japan, Poland, the Republic of Korea and EU institutions. * The company also says it is working with critical infrastructure operators and government networks on ways to safely deploy advanced AI cybersecurity capabilities.