OpenAI released GPT-5.5-Cyber to verified defenders on June 22, paired the launch with an expanded Codex Security plugin and a 28-firm partner roster, and co-founded an open-source patching initiative called Patch the Planet with Trail of Bits. The bundled message: vulnerability discovery is no longer the binding constraint in security. Fixing things is.

That framing matters because it reorganizes who owns the problem. For two decades the disclosure economy has rewarded finding bugs, not closing them. OpenAI’s pitch, echoed by collaborators HackerOne and CALIF, is that a sufficiently capable model collapses the discovery side of that economy, leaving the patch backlog as the politically and operationally hard part. Patch the Planet will fund researchers to work directly with maintainers of widely used open-source projects, with more than 30 projects already committed, including cURL, the Go project, Python, Sigstore and pyca/cryptography.

The benchmarks are doing real work in the announcement. GPT-5.5-Cyber scored 85.6 percent on CyberGym, which measures whether an agent can reproduce known vulnerabilities, against 81.8 percent for the standard GPT-5.5. It posted 39.5 percent on the internal ExploitGym and 69.8 percent on SEC-bench Pro. Codex Security, in research preview since March, has scanned more than 30,000 codebases and over 30 million commits, with more than 70,000 findings marked fixed by human reviewers.

The field evidence is more striking than the scoreboards. The Hacker News reported Daybreak surfacing a 23-year-old use-after-free flaw in OpenBSD’s kernel implementation of System V semaphores, 34 vulnerabilities and seven local privilege-escalation proofs-of-concept in FreeBSD, six in dnsmasq, five exploitable bugs in Chrome’s V8 JavaScript engine, and a denial-of-service technique dubbed HTTP/2 Bomb affecting NGINX, Apache, IIS and Pingora. These aren’t toy findings. They’re load-bearing infrastructure.

The commercial scaffolding tells the rest of the story. The Daybreak Cyber Partner Program launched with Cisco, CrowdStrike, Palo Alto Networks, Accenture, IBM, Okta and Wiz. Trusted Access for Cyber added Australia, Canada, France, Germany, Japan, South Korea and European Union institutions over the past month, with the United States government continuing pre-deployment testing. Anthropic’s Project Glasswing, launched in April, occupies adjacent ground.

What’s being assembled here’s closer to a standards body than a product line: a frontier lab installing itself as the clearinghouse between sovereign customers, the incumbent security vendors and the maintainers of the code everyone runs. The 2017 disclosure-reform debates ended in stalemate because nobody could pay for the fixes. OpenAI is volunteering, and pricing the seat accordingly.

Sources