OpenAI launches Patch the Planet to secure open-source software

OpenAI is moving past the familiar promise of vulnerability detection and into the harder work of fixing the code. Its new Patch the Planet effort, announced June 22, pairs Trail of Bits security engineers with critical open-source projects so maintainers get findings, patches, and a week of dedicated review instead of another inbox full of raw reports.

That shift matters because the most dangerous software failures often begin in places few people notice. A neglected library, package, or system tool can sit deep in the stack, then cascade into outages or breaches that hit hospitals, businesses, and government systems all at once. OpenAI says its answer is to use AI-assisted security research with expert human review, aiming to identify vulnerabilities and help patch them before attackers turn small defects into national-scale problems.

Patch the Planet is part of OpenAI’s broader Daybreak cybersecurity effort, which the company says is built around authorization, human judgment, monitoring, safeguards, and collaboration with the wider security community. OpenAI also says advanced access to its cyber tools is reserved for verified defenders through Trusted Access for Cyber, a gatekeeping model meant to keep powerful capabilities in the hands of people who are supposed to defend systems, not break them.

The company’s expanded security push also included the full release of GPT-5.5-Cyber and a Cyber Partner Program. OpenAI has said its security work now extends beyond bug-finding and into patching, building on Codex Security, the AI application security agent it introduced in March 2026 to analyze project context, validate complex vulnerabilities, and patch them with less noise. Trail of Bits said participating maintainers receive six months of ChatGPT Pro, and some projects also receive conditional Codex Security access.

The roster is not fixed publicly, but secondary reporting says more than 30 open-source projects are already involved or in the pipeline, including cURL, Go, Python, Sigstore, pyca/cryptography, aiohttp, and dnsmasq. That list underscores the scale of the problem OpenAI is targeting: the software most people depend on is often maintained by a small group with limited time, limited funding, and too many reports to triage.

OpenAI framed the initiative as a continuation of a line of work it has been signaling for years. In 2024, the company said it had found vulnerabilities in open-source software and would release disclosures to relevant open-source parties as it scaled. It now also has an outbound coordinated vulnerability disclosure policy and a CVE assignment policy for third-party software flaws. The unresolved question is whether Patch the Planet changes the economics of maintainer burnout and understaffed security teams, or simply puts a brighter spotlight on how fragile the open-source supply chain already is.