OpenAI Launches Patch the Planet for Open Source Security
OpenAI and Trail of Bits unveiled Patch the Planet, pairing AI-driven vulnerability discovery in open source with mandatory human expert review before patches ship.
OpenAI, together with security firm Trail of Bits, HackerOne, and Calif, launched Patch the Planet to address open source's chronic maintenance gap. Research from the Linux Foundation and Harvard's Census II study shows that 94% of contributions to widely used projects come from fewer than ten core developers, and AI-assisted scanning tools now generate more findings than these few maintainers can realistically triage. Patch the Planet tackles this with a two-layer model: automated discovery via GPT-5.5-Cyber and Codex Security, followed by mandatory validation, deduplication, and severity correction by Trail of Bits engineers, so maintainers receive tested patches rather than raw reports.
The first five-day sprint scanned 19 projects, produced hundreds of findings, filed 64 pull requests with 37 already merged, and more than 30 critical projects — including cURL, Go, Python, Sigstore, and pyca/cryptography — have since joined. The underlying Codex Security infrastructure has scanned over 30 million commits and confirmed more than 70,000 fixes since March 2026, and the broader Daybreak program has surfaced real vulnerabilities in the Linux kernel, Chrome's V8 engine, and WebKit. A Firefox WebAssembly flaw patched just before Pwn2Own Berlin led five of six registered exploit entries to withdraw.
For engineers, the significance lies less in the technology than in the precedent it sets: a single company controlling both the most capable vulnerability-discovery model and much of the patching pipeline concentrates outsized influence over the software supply chain's security posture. There's real risk that an AI-generated patch could quietly introduce a new flaw, which is why Trail of Bits insists every finding passes human review. The takeaway for enterprises evaluating AI security tooling is that value isn't in how many issues a model finds, but in how reliably those findings convert into trustworthy fixes.