The maker of ChatGPT wants to make open-source projects less of a security bargain

OpenAI has launched Patch the Planet, a new initiative aimed at fixing one of the internet’s quietest problems – the chronically underfunded security of open-source software.

Patch the Planet pairs OpenAI’s most security-capable AI models with Trail of Bits, a security firm that has committed its entire research organization to the effort, alongside support from HackerOne and Calif.

How OpenAI plans to actually fix the bugs

The problem OpenAI is trying to solve is real and specific. AI tools can now generate a flood of potential vulnerabilities, but overworked maintainers still have to sort genuine threats from false alarms.

OpenAI’s cyber tech lead Fouad Matin put it bluntly, saying maintainers do this work out of love for open source and now find themselves drowning in low-quality, AI-generated bug reports. Trail of Bits CEO Dan Guido echoed that sentiment, calling the project a massive effort to help open-source software get ahead of AI bug hunting tools, while also showing maintainers the upside of AI coding tools, not just the downsides.

Researchers use OpenAI’s Codex Security and GPT-5.5-Cyber models to investigate and validate issues, then personally review every finding before it ever reaches a maintainer. OpenAI is also subsidizing roughly 20 trillion tokens worth of Codex Security usage for open-source and private code alike.

Why this matters beyond bug fixes

More than 30 projects are already participating, including cURL, Python, and the Go project, with Trail of Bits running an opening sprint using a fifth of its entire workforce. The effort has already surfaced hundreds of bugs and dozens of patches in its first week alone.

This announcement also lands as rival Anthropic was forced to pull its Mythos 5 and Fable 5 models from the market this month over White House concerns about AI cybersecurity capabilities. OpenAI’s updated GPT-5.5-Cyber reportedly outscores Mythos 5 on the CyberGym benchmark, 85.6% to 83.8%.

That benchmark gap might seem small, but it’s a reminder that the real race between AI labs may end up shaping internet security far more than any single product launch.