OpenAI announced a new cybersecurity model, expanded government partnerships, and a new open-source scanner plugin on Monday. The company also launched an initiative called Patch the Planet to help maintainers fix vulnerabilities in critical software.
This effort was founded with Trail of Bits, a security research firm, alongside vulnerability management companies HackerOne and Calif.
The project offers free security consulting to open-source maintainers. The goal is to help them find and patch flaws, strengthen their codebases, and integrate AI security tools into their workflows. The aim is to provide individualized support that improves current security and long-term resilience in a sustainable way.
“Patch the Planet is an internet-scale effort to help open source software get ahead of AI bug hunting tools,” says Dan Guido, CEO and cofounder of Trail of Bits. “But it’s also an effort to help the open source community see the benefits and not just the downsides of AI coding tools.”
Open-source developers often keep critical software running with few resources. The rise of AI vulnerability hunting has made the backlog of bug reports feel unmanageable for many. AI-generated reports stack up quickly, making it hard to prioritise issues and pulling limited attention away from critical flaws.
“Maintainers do their work out of love of open source and now they’re stuck reviewing slop CVEs,” says Fouad Matin, OpenAI’s cyber tech lead. “With Patch the Planet, what we’ve effectively done is make it as efficient from a token perspective as possible to reduce the burden for maintainers—code base assessments, validating potential reports, creating patches, and landing them.”
Matin adds that OpenAI has subsidised usage of its Codex Security scanner for both open-source and private code to the tune of 20 trillion tokens.
More than 30 open-source projects are already participating in Patch the Planet, with more joining soon. Trail of Bits ran a five-day opening sprint to launch the project. Twenty-five engineers, roughly a fifth of its workforce, worked simultaneously on collaborations with various maintainers. OpenAI and Trail of Bits say the project has already uncovered hundreds of bugs and produced dozens of patches in its first week. Guido says funding from OpenAI and unmetered model access will allow Trail of Bits to continue this work long term.
“It’s so rare that we get the opportunity to work on large scale open source security issues,” Guido says. “And Patch the Planet is not a one size fits all. We speak to all the maintainers for every single project and figure out what their highest priorities are, whether it’s building better testing infrastructure or custom fuzzers or just cleaning up technical data across the project because that’s what’s going to make them work faster and operate faster and patch faster.”
These announcements come as competitor Anthropic pulled its new Fable 5 and Mythos 5 models off the market earlier this month. The Trump administration raised fears about the AI cybersecurity capabilities of these tools. The White House decision to impose export controls followed Anthropic’s public release of the Mythos-grade Fable 5 with blocks on advanced biological and cybersecurity capabilities, protections the administration feared were inadequate.
OpenAI’s announcements, including the new checkpoint of GPT-5.5-Cyber, are part of a limited “Trusted Access for Cyber” program and do not involve a public release. Competition continues as both Anthropic and OpenAI prepare for IPOs. In its GPT-5.5-Cyber announcement, OpenAI noted the model scores 85.6 percent on the CyberGym benchmark assessment, an improvement from a previous version. The performance also beats Anthropic’s Mythos 5, which scored 83.8 percent.
The Five Eyes intelligence alliance issued a joint statement on Monday warning that frontier AI models are anticipated to exceed current industry expectations, fundamentally transforming both offensive and defensive cyber capabilities. The timeline is not years, it is months. The statement added that in this environment, cyber resilience is integral.
For its part, Patch the Planet gives participants six months of free ChatGPT Pro and six months of Codex Security, along with infrastructure and workflow improvements usable with various tools and human engineers.
“With Patch the Planet so far, only about half the time was spent finding bugs,” Guido says. “We’re trying to find the most superficial, easily discoverable, most severe bugs and wipe them off the table, but the other half of the time we spent customizing agents to work on the code base so we can leave them behind and teach the maintainers how to use them.”
What it means
Maintainers of open-source software receive direct support to reduce the time spent on initial bug detection. The remaining effort focuses on customising agents to work within their codebases, allowing the maintainers to learn how to use these tools independently for future tasks.
Update 6/22/26 at 1:05 pm ET: Added additional details about the Patch the Planet program.
