OpenAI's Patch the Planet Bets the Bottleneck Is Patching, Not Finding

The conventional framing for AI in cybersecurity goes like this: AI finds bugs, humans fix them, everyone is safer. That story stopped being true a while ago. OpenAI is now saying so out loud.

On June 22, OpenAI expanded its Daybreak cybersecurity program with a full release of GPT-5.5-Cyber, a new Codex Security plugin, and something called Patch the Planet: a program co-founded with Trail of Bits and HackerOne to move AI-discovered vulnerabilities all the way through to merged patches in real open-source projects. The thesis, stated plainly in OpenAI's announcement: AI models now find vulnerabilities faster than defenders can fix them. The bottleneck has shifted. The scarce resource is no longer discovery. It's repair.

That shift has a specific shape you can see in the numbers. GPT-5.5-Cyber scored 85.6% on CyberGym, compared to 81.8% for the base GPT-5.5. On ExploitGym it reached 39.5% against 25.95% for its predecessor. Those gaps are meaningful, but they're also the least interesting part of the announcement. What actually matters is what happened before the press release.

Trail of Bits put its entire security research organization on a five-day sprint using Codex and GPT-5.5-Cyber across 19 open-source projects. Hundreds of issues surfaced. Dozens of patches merged. The model scanned more than 30 million lines of the Linux kernel, flagged security-relevant components, and generated 8 kernel pointer information-leak proof-of-concepts and 24 local privilege escalation exploits. It found a 23-year-old use-after-free flaw in OpenBSD's kernel that could let an unprivileged local user escalate to root. On Firefox, GPT-5.5 found a WebAssembly vulnerability that Mozilla patched two days before Pwn2Own Berlin. Five of the six registered Firefox entries at that competition withdrew. No Firefox exploit was successfully demonstrated.