OpenAI has launched a security initiative called Patch the Planet, built in partnership with security firm Trail of Bits, aimed at identifying and patching vulnerabilities in widely used open-source software. The program pairs AI-assisted security research with human expert review before findings are submitted to project maintainers.

According to a statement from OpenAI, Trail of Bits has committed its entire security research organization to an initial sprint, working directly with maintainers to investigate vulnerabilities, develop patches, and coordinate disclosure. OpenAI is also partnering with HackerOne and Calif for vulnerability triage and additional discovery efforts.

Initial participating projects include cURL, Python, the Go project, Sigstore, pyca/cryptography, NATS Server, aiohttp, freenginx, and python.org. Trail of Bits engineers have already identified hundreds of security issues across 19 open-source projects and merged dozens of patches, with additional findings still under coordinated disclosure.

The program operates using OpenAI's frontier models, including GPT-5.5-Cyber and its Codex Security tool. Participating projects receive access to ChatGPT Pro, conditional access to Codex Security, and API credits.

OpenAI also disclosed a series of vulnerabilities found through its broader Daybreak research effort. In the Linux kernel, GPT-5.5-Cyber generated eight kernel pointer information leak proof-of-concepts and 24 local privilege escalation exploits. Researchers identified a 23-year-old use-after-free vulnerability in OpenBSD's kernel. Across FreeBSD, 34 vulnerabilities were confirmed with seven local privilege escalation proof-of-concepts produced.

In browsers, five exploitable vulnerabilities were found in Chrome's V8 engine, more than 10 exploitable vulnerabilities were identified in Safari's WebKit, and a WebAssembly vulnerability in Firefox was patched two days before the Pwn2Own Berlin competition.

Codex Security independently identified vulnerability patterns corresponding to four dnsmasq CVEs later fixed in version 2.92rel2. Researchers also identified an HTTP/2 denial-of-service technique affecting major server implementations including Nginx, Apache, IIS, and Pingora, with analysis suggesting more than 880,000 internet-facing websites ran affected software.

OpenAI said it plans to publish deeper technical reports as fixes are deployed and coordinated disclosures conclude.