OpenAI just put its AI to work fixing the bugs that hold the internet together.
On Monday, OpenAI launched Patch the Planet, a new initiative that uses its models to find security flaws in open-source software and then actually write the fix. The company is running the effort with Trail of Bits, a security research firm, and the early numbers are doing the talking.
In its first week across 19 open-source projects, Trail of Bits used OpenAI's new GPT-5.5-Cyber model to file 64 pull requests, raise 51 issues, and get 19 of them already closed with a fix. That's a lot of fixes for projects that often run on a handful of unpaid volunteers.
What's actually new is the scope of what the AI is being asked to do. Earlier AI security tools mostly tried to surface vulnerabilities and then dump them on overworked maintainers to patch. Patch the Planet is built to do the whole job: find the bug, validate it, write the fix, and explain the change. Fouad Matin, OpenAI's cyber tech lead, told Wired the goal was to "reduce the burden for maintainers" rather than create more work for them. Trail of Bits CEO Dan Guido put the shift more concretely in the same piece: "With Patch the Planet so far, only about half the time was spent finding bugs." The rest went to writing the fix, which is the part open-source projects have never had enough hands for.
OpenAI is also leaning hard on the capability story. GPT-5.5-Cyber hit 85.6% on CyberGym, a benchmark designed to test real-world security tasks. That edges out the 83.8% Anthropic's Claude Mythos Preview posted on the same test, and it nearly doubles GPT-5.5's score on a separate benchmark that measures whether a model can turn a known flaw into a working exploit.
That comparison isn't accidental. Anthropic has been running a parallel effort called Project Glasswing with bigger raw numbers, having flagged more than 10,000 high or critical vulnerabilities across roughly 50 partners. But Anthropic also just had to suspend access to its Mythos model after a US government export-control directive, which has put parts of Glasswing on pause. OpenAI is taking ground while its main rival is grounded.
The reason any of this matters beyond the leaderboard is that open-source code runs nearly everything, including the systems AI agents use to write new software. Jim Zemlin, CEO of the Linux Foundation, put it bluntly that open source makes up the vast majority of code in modern systems, and the people maintaining it are wildly outnumbered by the people looking for ways to break it.
The catch is that flooding maintainers with AI-generated patches could just move the bottleneck. Forrester analyst Biswajeet Mahapatra told CSO Online that the real win is being able to find, validate, patch, and document issues faster than humans can, but the value disappears if reviewers can't keep up. A few open-source maintainers have already asked Anthropic to slow down disclosures because they need more time to design patches.
INTO THE VALLEY
The story most people will tell is that OpenAI and Anthropic are racing to build the better security AI. The more interesting one is that they've both quietly become responsible for the security of open-source code they didn't write. That's a strange spot for a company whose main product is a chatbot, and it's going to get stranger as these systems file more patches in a week than maintainers can review in a month. The next real question isn't whether the AI can find the bugs. It's whether anyone on the other end has time to read what it sends.
