Patch the Planet: a Daybreak initiative to support open source maintainers

Patch the Planet: a Daybreak initiative to support open source maintainers | OpenAI

June 22, 2026

Security

Patch the Planet: a Daybreak initiative to support open source maintainers

Loading…

Share

We are introducing Patch the Planet, a Daybreak⁠ initiative built with Trail of Bits to help maintainers strengthen the critical open-source software the world relies on. We’re pairing AI-assisted security research using our most cyber-capable models with expert human review to not only identify vulnerabilities, but help patch them.

AI is accelerating vulnerability discovery, but discovery alone does not protect users. Many maintainers are already being asked to sort through more reports, more quickly, with the same limited time and resources. Patch the Planet is built to reduce that burden, not add to it: security engineers review findings before they reach maintainers, work with projects to develop patches and tests, and build reusable workflows that help teams continue improving security after the first fixes land.

Trail of Bits has committed their entire security research organization⁠ towards this effort for our initial surge. They are working directly with maintainers to investigate and validate vulnerabilities, develop and test patches, and coordinate disclosure of vulnerabilities.

Additionally, we will be partnering with HackerOne and Calif who are helping us take our efforts further with vulnerability triage, coordinated disclosure, and additional focused vulnerability discovery efforts.

How Patch the Planet works

Each engagement under Patch the Planet begins in consultation with the maintainer. For each collaboration, security engineers work with maintainers to understand each project’s needs, preferences, and where additional security effort would be most useful: vulnerability validation, patch development, CI/CD improvements, or longer-term security engineering. Once aligned, researchers investigate potential vulnerabilities, validate meaningful issues, develop or refine patches, support testing, and coordinate disclosure through the project's established channels.

Initial participants include cURL, NATS Server, pyca/cryptography, Sigstore, aiohttp, the Go project, freenginx, Python, and python.org. These projects support widely used networking, cryptography, software supply chain, and language infrastructure, where stronger security can benefit a broad range of downstream products and services. Additional projects will join in future rounds.

Security researchers are equipped with our frontier models as well as Codex Security⁠ to support the analysis, patch development, testing, and documentation. Participating projects receive access to ChatGPT Pro; conditional access to Codex Security; and API credits for core open-source development, maintainer automation, and release workflows. Trail of Bits has developed AI-assisted workflows for deduplication, triage, and patching that projects can run with this support.

Early field notes and findings from developers

Trail of Bits has dedicated security engineers to work full-time with Codex and GPT‑5.5‑Cyber across 19 open-source projects, and has already identified hundreds of security issues and merged dozens of patches, with many more still undergoing coordinated disclosure.

The initial sprint also produced reusable security infrastructure: fuzzing harnesses, historical-CVE analysis pipelines, differential-testing systems, threat models, expanded test suites, and workflows for deduplication, false-positive filtering, severity correction, and patch generation. Some project-specific details will be shared later as testing, remediation, and coordinated disclosure progress. A few early examples show what the team was able to build and find:

A fuzzing lab in less than a day. Trail of Bits engineers used repeated Codex /goal runs with GPT‑5.5‑Cyber to build an entire fuzzing lab covering dozens of entry points, variant builds, platforms, and novel test seeds. Engineers set the objectives and refined the prompts; the system then used coverage feedback to keep expanding into new surfaces, target edge cases, and filter weak or invalid candidates.

Trail of Bits engineers found that, with limited guidance, GPT‑5.5‑Cyber made useful choices about where to expand coverage, which builds and entry points to probe, and which candidates were too weak to pursue. The completed setup took less than a day. Trail of Bits estimates that building the same lab manually would ordinarily take at least several weeks.

A reusable pipeline for finding variants of known vulnerabilities. The team built an end-to-end system that ingests historical CVEs, extracts relevant vulnerability patterns, searches target codebases for related flaws, and sends candidate findings through specialized judging agents. The pipeline deduplicates results, filters likely false positives, and routes the strongest evidence to security engineers for manual confirmation.

This turns years of public vulnerability history into a repeatable search strategy that can be applied across projects. Trail of Bits found the models especially effective at this kind of variant analysis, which uncovered many additional issues across the codebases under review.

Differential testing in days instead of weeks or months. Different implementations of the same protocol should usually behave the same way under the same inputs. When they diverge, one may contain a bug. Applying this idea at scale is normally difficult because engineers must write custom shim and glue code connecting each implementation to a common test harness.

Codex generated and iterated on that code, allowing multiple implementations to be fuzzed against one another and their behavioral differences investigated. The workflow filtered many weak or invalid results and produced a comparatively high-signal set of candidates for expert review. The team reached those results within days, compressing work that has historically taken weeks or months. Trail of Bits is continuing to expand and refine these tests before publishing project-specific details.

Testing software against the behavior its specifications promise. The teams used Codex to develop threat models, attack taxonomies, invariant tests, and property-based tests grounded in project specifications and RFCs. These methods exposed notable differences between intended and actual behavior while leaving projects with broader test coverage, stronger...