OpenAI Launches Major Push to Fix Open-Source Bugs, Challenging Anthropic

As concerns mount over the potential for AI-powered hacking, OpenAI unveiled a series of cybersecurity initiatives on Monday. Among them is an enhanced version of its restricted-access security model, GPT-5.5-Cyber, expanded collaborations with international governments and institutions for “trusted access” to its latest security-focused AI tools, and the release of its Codex Security scanner as an app plug-in.

But perhaps the most significant announcement targets a growing crisis: the vulnerability of critical open-source projects as AI advances outpace their defenses. OpenAI launched Patch the Planet, a program created alongside the research-driven security firm Trail of Bits and in partnership with vulnerability management platforms HackerOne and Calif. The initiative is already underway, offering free security consulting to open-source maintainers. The goal is not just to identify and fix bugs, but to strengthen code bases and integrate AI-powered security tools into development workflows. The aim is to provide tailored support to as many open-source projects as possible, boosting both their immediate security and long-term resilience in a sustainable way.

“Patch the Planet is an internet-scale effort to help open-source software get ahead of AI bug-hunting tools,” says Dan Guido, CEO and cofounder of Trail of Bits. “But it’s also an effort to help the open-source community see the benefits and not just the downsides of AI coding tools.”

Open-source developers, often volunteers who maintain widely used software with minimal resources, already struggle to keep up with bug reports. The recent surge in AI-driven vulnerability hunting has made that backlog feel overwhelming. Many maintainers are flooded with low-quality, AI-generated reports, making it hard to prioritize and pulling attention away from genuine critical flaws.

“They do their work out of love of open source, and now they’re stuck reviewing slop CVEs,” says Fouad Matin, OpenAI’s cyber tech lead. With Patch the Planet, he explains, “we’ve effectively made it as efficient from a token perspective as possible to reduce the burden for maintainers,code base assessments, validating potential reports, creating patches, and landing them. We want to offset costs, whether it’s tokens or people power, to actually patch as much of the world of software as possible.”

Matin also notes that OpenAI has been subsidizing usage of its Codex Security scanner,available in research preview since earlier this year,for both open-source and private code, “to the tune of 20 trillion tokens.”

More than 30 open-source projects are already part of Patch the Planet, with more on the way. To kick off the initiative, Trail of Bits ran a five-day opening sprint, deploying 25 engineers,roughly a fifth of its workforce,to collaborate with maintainers. OpenAI and Trail of Bits report that the project has already uncovered hundreds of bugs and generated dozens of patches in its first week. Guido says that with funding from OpenAI and unmetered model access, Trail of Bits plans to maintain this intense commitment long-term.

“It’s so rare that we get the opportunity to work on large-scale open-source security issues,” Guido says. “And Patch the Planet is not a one-size-fits-all. We speak to all the maintainers for every single project and figure out what their highest priorities are, whether it’s building better testing infrastructure or custom fuzzers or just cleaning up technical data across the project because that’s what’s going to make them work faster and operate faster and patch faster.”