OpenAI on Monday released GPT-5.5-Cyber, its "strongest model yet for finding and helping patch software vulnerabilities," alongside an updated Codex Security plugin and a new initiative called Patch the Planet that partners with Trail of Bits and HackerOne to secure open-source projects. The release marks a shift in how OpenAI positions its AI for defensive security. The company initially announced Daybreak last month as a vulnerability discovery program.
But the market has changed. AI models from OpenAI and Anthropic are now finding bugs faster than humans can fix them, flipping the old problem on its head.
Previously the challenge was finding vulnerabilities. The bottleneck has shifted to patching them.
GPT-5.5-Cyber is designed for that new reality. It can sustain deeper analysis across large codebases, trace attack paths, build threat models, validate findings, and generate codebase-specific patches for review. The Codex Security plugin extends those capabilities into existing workflows, letting developers run deep scans, triage findings from scanners and bug-bounty reports, and generate patches at scale to close vulnerability backlogs.
Patch the Planet puts that full defensive loop in service of open-source maintainers. Initial participants include cURL, NATS Server, pyca/cryptography, Sigstore, aiohttp, the Go project, freenginx, Python, and python.org.
OpenAI said it is working with researchers, maintainers, enterprises, and partners to make the capability available with appropriate access, governance, and human oversight. The timing is no coincidence. Daybreak has already surfaced vulnerabilities across Linux, OpenBSD, FreeBSD, Google Chrome, Apple Safari, Mozilla Firefox, and major HTTP/2 implementations.
The haul includes a 29-year-old flaw in the Squid web proxy (CVE-2026-47729, dubbed Squidbleed) that can leak cleartext HTTP requests, plus 34 vulnerabilities and 7 local privilege escalation proofs-of-concept in FreeBSD alone. The Canadian Centre for Cyber Security warned in guidance released in May 2026 that threat actors with limited technical expertise can use publicly available AI models for malicious purposes. Organizations should assume AI-driven exploitation may bypass preventative controls and outpace vendors' capacity to publish fixes.
The Five Eyes intelligence alliance (Australia, Canada, New Zealand, the U.K. and the U.S.) went further, warning that frontier AI models are anticipated to exceed current industry expectations and fundamentally transform both offensive and defensive cyber capabilities. The timeline, the agencies said, is not years -- it is months.
"Success will come from getting the basics right, acting quickly, and integrating cyber security into core business strategy," the agencies noted. "Those that do not will face growing operational and strategic disadvantage."
