OpenAI Pairs GPT-5.5-Cyber With Open-Source Patch Initiative

OpenAI extended its Daybreak cybersecurity platform this week with something less common than a benchmark win: an actual count of merged patches in widely-used open-source code. As Wired reports, the company launched Patch the Planet, a program co-founded with Trail of Bits and HackerOne, alongside the full release of GPT-5.5-Cyber.

Trail of Bits has engineers working full-time across 19 open-source projects using Codex and GPT-5.5-Cyber; they have already identified hundreds of security issues and merged dozens of patches, with more still under coordinated disclosure. More than 30 projects have committed to participate, including cURL, Go, Python, Sigstore, and pyca/cryptography. The model itself scanned security-relevant components across more than 30 million lines of code and generated proof-of-concepts for 8 kernel pointer information leaks and 24 local privilege escalation vulnerabilities in the Linux Kernel.

On the model side, GPT-5.5-Cyber posts meaningful gains over its predecessor: 85.6% on CyberGym (up from 81.8% for GPT-5.5), 39.5% on ExploitGym (up from 25.95%), and 69.8% on SEC-bench Pro (up from 63.1%). OpenAI describes it as built for "verified defenders whose work requires advanced cyber capabilities paired with verification, monitoring, and scoped controls." Partners Accenture, Akamai, Check Point, Cisco, Cloudflare, CrowdStrike, IBM, and Palo Alto Networks joined the Daybreak Cyber Partner Program. The Codex Security plugin has scanned over 30 million commits across more than 30,000 codebases since a March preview, with more than 70,000 findings manually marked fixed and over 500,000 automatically resolved.

The competitive backdrop is Anthropic. In April, Anthropic's Claude Mythos Preview reportedly found thousands of high-severity vulnerabilities across every major operating system and browser, staking a similar AI-for-defense position. OpenAI's bet of funding engineers to merge patches into cURL and the Linux Kernel alongside the model release is a concrete move in the same space.

The honest caveat is that benchmark scores and proof-of-concept generation measure capability in controlled settings, not the durability of fixes once deployed. What the reporting does not give you is a clear picture of how "verified defender" access is vetted, or what the commercial terms look like for Cyber Partner Program members. Whether Patch the Planet becomes a lasting infrastructure investment or a promotional sprint around a model launch is the question worth watching.