OpenAI announced “Patch the Planet” on Monday, an initiative built with security firm Trail of Bits and in collaboration with HackerOne and Calif to move open-source software from vulnerability discovery to actual patching. More than 30 projects have committed to participate, with early names including cURL, Go, Python, Sigstore, and pyca/cryptography. The mechanism: OpenAI funds expert security researchers who use Codex Security and GPT-5.5-Cyber to work directly with open-source maintainers, validating findings, building patches, and developing reusable testing workflows before handing results to maintainers. The first five-day sprint surfaced hundreds of issues for review and merged dozens of patches. YourNewsClub reads the sprint result as operationally significant rather than symbolic – dozens of patches merged across 19 projects in five days is a concrete output, not a press release. The comparison to Anthropic’s Mythos 5 situation is implicit but pointed: the government’s export control order restricted the tool that defends, while Patch the Planet deploys a comparable capability for exactly the defensive work Mythos 5’s advocates argued was being taken away.
The shift OpenAI is describing is real. For most of software security’s history, the bottleneck was finding vulnerabilities – rare expertise, time, and familiarity with complex codebases. Now AI accelerates that discovery so dramatically that defenders are overwhelmed with reports before they can act on them. The bottleneck has moved downstream, from finding to patching. OpenAI cited Linux Foundation and Harvard research finding that 94% of widely used open-source projects have fewer than 10 developers responsible for more than 90% of the code added in a year. Throwing more AI-generated vulnerability reports at teams that small does not improve security – it creates noise. Patch the Planet addresses that by human-reviewing every finding before it reaches a maintainer. A 23-year-old use-after-free flaw in OpenBSD’s kernel was among the discoveries disclosed alongside the launch.
The full release of GPT-5.5-Cyber accompanies the announcement, scoring 85.6% on OpenAI’s CyberGym benchmark against 81.8% for the standard GPT-5.5. Access remains restricted to vetted defenders through the Trusted Access for Cyber programme. The Daybreak Cyber Partner Program simultaneously opens GPT-5.5 with Trusted Access to security vendors for use in their own products, with launch partners including Accenture, Cisco, CrowdStrike, IBM, Okta, Palo Alto Networks, and Wiz. YourNewsClub spots the partner list as the commercial architecture that makes Patch the Planet sustainable: OpenAI earns partnership revenue from enterprise security vendors while the open-source initiative runs partly on that income.
Owen Radner, who models digital infrastructure as energy-information transport systems, draws the infrastructure framing: “Open-source software is not a product – it is infrastructure. The same way a government would fund road maintenance on routes too important to leave to individual towns, Patch the Planet is arguing that AI-accelerated vulnerability discovery requires a similarly funded patching infrastructure. OpenAI covering that cost through commercial partnerships is a pragmatic financing structure, not a charitable one.” Maya Renn, whose work focuses on the ethics of computation and access to power through technology, frames what the initiative’s design choices embed: “Every Patch the Planet finding gets reviewed by an OpenAI-selected security engineer before it reaches a maintainer. That gives OpenAI editorial control over what vulnerabilities get disclosed and in what order. The execution of the initiative is a governance question as much as a technical one – who gets to decide what gets patched first is a form of power over shared infrastructure.”
YourNewsClub ranks the 23-year-old OpenBSD flaw as the most commercially compelling disclosure in the launch – a critical flaw in an operating system widely used in security appliances and firewalls, undetected for more than two decades, found in days by an AI model. The competitive timing is not incidental. Anthropic’s most capable security model, Mythos 5, is currently unavailable under a US government export control order.
Your News Club notes whether the Patch the Planet patch rate – vulnerabilities fixed versus total surfaced – will become the standard measure for AI-assisted security programmes; if it does, it sets a benchmark every competitor must now match.