OpenAI Enlists AI to Patch Open Source

OpenAI is launching 'Patch the Planet,' a new initiative designed to bolster the security of the open-source software that underpins much of the digital world. Developed in collaboration with Trail of Bits, the program leverages OpenAI's most advanced AI models to accelerate the discovery and patching of vulnerabilities, as detailed in an announcement.

The core of Patch the Planet involves pairing AI-powered security analysis with expert human review. This approach aims to not only identify security flaws but also to assist in their remediation, a critical task for maintainers often overwhelmed by the volume of reports.

Trail of Bits is dedicating its entire security research organization to this effort. Their teams work directly with open-source maintainers to validate vulnerabilities, develop and test patches, and coordinate responsible disclosure.

How it Works

Each Patch the Planet engagement starts with a consultation with the project's maintainers to understand specific needs. Security engineers then investigate potential vulnerabilities, validate findings, and develop or refine patches.

The initiative provides participating projects with access to tools like ChatGPT Pro and conditional access to Codex Security, alongside API credits for development workflows.

Initial projects benefiting from this program include widely used software like cURL, NATS Server, pyca/cryptography, Sigstore, aiohttp, the Go project, freenginx, Python, and python.org.

Early Results

Trail of Bits security engineers, utilizing AI models like GPT-5.5-Cyber, have already identified hundreds of security issues across 19 open-source projects. Dozens of patches have been merged, with many more undergoing disclosure.

The program has also yielded reusable security infrastructure, including fuzzing harnesses and pipelines for analyzing historical vulnerabilities. These tools aim to create more efficient and effective security workflows.

One notable achievement is the rapid development of a fuzzing lab in less than a day, a task that would typically take weeks manually. AI assistance was crucial in expanding test coverage and identifying edge cases.

Additionally, a pipeline for finding variants of known vulnerabilities has been built, effectively turning historical CVE data into actionable search strategies.

Differential testing, comparing different software implementations of the same protocol, was also accelerated, compressing weeks or months of work into days.

OpenAI Daybreak's broader work also shows AI's potential in finding and validating vulnerabilities across different software layers.

Real-World Impact

Early findings highlight the program's broad reach. In the Linux Kernel, AI identified potential security issues and generated proof-of-concepts for kernel pointer information leaks and local privilege escalations.

Significant vulnerabilities were also found in OpenBSD, including a 23-year-old use-after-free bug, and multiple local privilege escalations in FreeBSD.

Network infrastructure like dnsmasq saw vulnerable patterns identified by AI, correlating with later CVE fixes. The "HTTP/2 Bomb" denial-of-service vulnerability affecting numerous web servers was also identified.

Browser security has also been a focus, with exploitable vulnerabilities found in Chrome's V8 engine and Safari's WebKit. A WebAssembly vulnerability in Firefox was identified and patched just before a major security competition.

The initiative emphasizes that open-source software is shared infrastructure, and its security should be a collective effort. Patch the Planet aims to equip maintainers with better tools and capacity, integrating AI into the full defensive loop from discovery to deployment.