OpenAI is turning part of its cybersecurity push toward a problem that has been building across the software world: open source maintainers are being asked to defend critical code while also dealing with a rising flow of AI-generated bug reports.
On Monday, the company announced Patch the Planet, a program founded with Trail of Bits and developed in collaboration with HackerOne and Calif. The project is already offering free security consulting to open source projects, with the goal of helping maintainers patch vulnerabilities, strengthen codebases, and make practical use of AI security tools.
A security push aimed at maintainers
Patch the Planet is not presented as a public software release or a one-off audit. It is a support effort for open source maintainers, many of whom work with limited resources while responsible for code used far beyond their own projects.
The program’s work includes code base assessments, review of possible vulnerability reports, patch creation, and help landing those patches. The source article says the project also focuses on infrastructure and workflow improvements that maintainers can continue using after the engagement ends.
That matters because the current pressure is not only about finding bugs. For maintainers, the harder problem can be deciding which reports are real, which ones are urgent, and which ones are noise. AI bug hunting can surface useful findings, but it can also produce low-quality reports that consume time.
OpenAI’s cyber tech lead Fouad Matin described the burden in direct terms, saying maintainers “do their work out of love of open source and now they’re stuck reviewing slop CVEs.” He said Patch the Planet is meant to reduce the cost of tasks such as assessments, report validation, patch creation, and patch landing.
What Patch the Planet is doing now
The program has already started. More than 30 open source projects are participating, with more expected to begin. Trail of Bits also ran a five day opening sprint involving 25 engineers, described as roughly a fifth of its workforce, working with maintainers across multiple projects.
OpenAI and Trail of Bits say the first week has already uncovered hundreds of bugs and produced dozens of patches. The project is also backed by OpenAI funding and unmetered model access for Trail of Bits, which Trail of Bits CEO and cofounder Dan Guido says will support a long-term commitment.
Participants also receive six months of free ChatGPT Pro and six months of Codex Security. The source says they are also left with infrastructure and workflow improvements that can be carried forward with different tools and human engineers.
Guido framed the work as broader than finding issues. “With Patch the Planet so far, only about half the time was spent finding bugs,” he said. The other half, he said, went toward customizing agents for specific codebases and teaching maintainers how to use them.
Why AI bug hunting changes the workload
Open source security has always depended on people who understand their code, review changes, and decide what should be fixed first. AI adds a new layer to that process. It can help search for flaws, but it can also increase the volume of reports that maintainers must inspect.
That creates a practical tension. A useful AI-assisted finding still has to be validated, turned into a patch, tested, and merged. A weak report still has to be read before it can be dismissed. In a project with few available maintainers, both outcomes compete for the same limited attention.
Patch the Planet’s approach is to pair AI tools with security engineers and project-specific support. According to Guido, the program is not “a one size fits all.” Instead, Trail of Bits speaks with maintainers for each project and works around their priorities, including better testing infrastructure, custom fuzzers, or cleanup of technical data.
That structure reflects the central claim of the effort: open source projects need help that matches how they actually work. A scanner alone may find problems. A consulting effort can also help a project absorb the fixes and improve the process around future ones.
Part of a wider cybersecurity race
Patch the Planet was one piece of a larger set of OpenAI cybersecurity announcements on Monday. The company also announced an improved version of GPT-5.5-Cyber, expanded international work with governments and other institutions through “trusted access,” and released its Codex Security scanner as an app plugin.
The GPT-5.5-Cyber work is part of OpenAI’s limited “Trusted Access for Cyber” program and does not involve a public release. OpenAI said the model scores 85.6 percent on CyberGym, above the 83.8 percent score attributed to Anthropic’s Mythos 5 in the source article.
The broader context is competition and concern around advanced AI cybersecurity capabilities. The source article says Anthropic had to pull its new Fable 5 and Mythos 5 models off the market earlier this month amid fear from the Trump administration about AI cybersecurity capabilities.
The Five Eyes intelligence alliance also warned in a joint statement on Monday that frontier AI models are expected to transform both offensive and defensive cyber capabilities. The statement said: “The timeline is not years, it is months. … In this environment, cyber resilience is integral.”
The practical promise
For open source maintainers, the value of Patch the Planet will likely be judged by whether it reduces workload rather than simply adding another tool to manage. The source describes a program built around validation, patching, tooling, and workflow support, not just more vulnerability discovery.
That distinction is important. If AI makes bug hunting faster, then open source projects need faster ways to separate real risk from noise. They also need help turning validated findings into durable improvements.
OpenAI and Trail of Bits are positioning Patch the Planet as one answer to that gap. The early results reported in the source are bugs found, patches produced, and maintainers supported with tools and workflows intended to outlast the initial engagement.