OpenAI Launches Effort to Patch Open-Source Bugs as It Takes on Anthropic’s Mythos

on Anthropic’s Mythos">

As fears about AI hacking capabilities grow, OpenAI on Monday made a slew of cybersecurity-focused announcements, including an improved version of its limited-access security-specialized model GPT-5.5-Cyber, expanded international work with governments and other institutions to give them 'trusted access' to the company's latest cybersecurity-focused models, and releasing its Codex Security scanner as an app plugin. OpenAI also announced an effort known as Patch the Planet, founded with the prominent research-focused security firm Trail of Bits and in collaboration with vulnerability management firms HackerOne and Calif. The project has already begun its work offering free security consulting services to open source maintainers to not only help them find and patch vulnerabilities, but also support them in strengthening their codebases and incorporating AI security tools into their development process.

'Patch the Planet is an internet-scale effort to help open source software get ahead of AI bug hunting tools,' says Trail of Bits CEO and cofounder Dan Guido. 'But it's also an effort to help the open source community see the benefits and not just the downsides of AI coding tools.' Open source developers—typically volunteers keeping critical and widely used software afloat with few resources—are often already struggling to keep up with bug reports. The rise of AI vulnerability hunting in recent months has, for many maintainers, made that backlog feel insurmountable as AI-generated slop reports stack up, making it difficult to prioritize and pulling already limited time and attention away from critical flaws.

Maintainers 'do their work out of love of open source and now they're stuck reviewing slop CVEs,' says OpenAI's cyber tech lead Fouad Matin. With Patch the Planet, he says, 'what we've effectively done is make it as efficient from a token perspective as possible to reduce the burden for maintainers—code base assessments, validating potential reports, creating patches, and landing them. We want to offset costs, whether it's tokens or people power, to actually patch as much of the world of software as possible.' Matin adds that for its Codex Security scanner, which has been in research preview since earlier this year, OpenAI has been subsidizing usage for both open source and private code 'to the tune of 20 trillion tokens.' More than 30 open source projects are already participating in Patch the Planet with more in the pipeline to start.

To launch the project, Trail of Bits recently conducted a five day opening sprint in which it had 25 engineers, or roughly a fifth of its workforce, simultaneously working on collaborations with an array of maintainers. OpenAI and Trail of Bits say the project has already uncovered hundreds of bugs and produced dozens of patches in just its first week. And Guido says that with funding from OpenAI as well as unmetered model access, Trail of Bits plans to continue its intense commitment to Patch the Planet work long term.