Trail of Bits and OpenAI's Daybreak initiative produce 64 pull requests across 19 open-source projects in one week using GPT-5.5-Cyber

Trail of Bits launched Patch the Planet, a security initiative that pairs security engineers with open-source maintainers to find and fix vulnerabilities using frontier AI models. In its first week, the project produced 64 pull requests and 51 issues filed across 19 critical open-source projects, with 37 patches already merged.

Partnership with OpenAI's Daybreak

The initiative operates through a partnership with OpenAI's Daybreak program, utilizing the GPT-5.5-Cyber model. According to Trail of Bits, the approach differs from typical AI security scanning by having human experts orchestrate and triage findings, then work directly with maintainers to fix issues rather than simply filing bug reports.

The first week covered projects including cURL, NATS, pyca, Sigstore, aiohttp, the Go project, freenginx, Python and python.org, urllib3, PyPI, SimpleX, Valkey, and RustCrypto. Trail of Bits reports that over 30 projects have joined the initiative, with applications open for additional open-source maintainers.

Specific technical contributions

Beyond security fixes, merged patches include:

• CI workflow integration using zizmor (Trail of Bits' GitHub Actions auditor) for python.org
• Correctness fixes to RustCrypto's big-integer library
• Serde encoding support and HPKE DHKEM suite IDs for RustCrypto
• Storage-accounting and service-restart fixes in SimpleX
• SBOM sidecars for Python's Windows artifacts
• New fuzzing harnesses and test suites across multiple projects

Of the 51 issues filed, 19 have been closed with fixes. Additional findings remain under coordinated disclosure through private channels including HackerOne, GitHub security advisories, and mailing lists.

GPT-5.5-Cyber capabilities demonstrated

Trail of Bits reports that GPT-5.5-Cyber built a complete fuzzing laboratory in under one day, including sanitizer builds, seed corpus generation from existing tests, and harnesses across a dozen entry points. The model created a harness that injected operating system backpressure to reach previously unexplored buggy states. Trail of Bits estimates this work would require two to three weeks for a human fuzzing expert.

The model also constructed a pipeline for CVE variant analysis in one day, which Trail of Bits claims produced "almost exclusively high-signal output" when combined with Codex's /goal feature.

The initiative uses a bot called "Patchy" to monitor projects, post findings and merged patches to Slack, and track progress across all participating projects.

What this means

This represents the first large-scale deployment of frontier AI models for coordinated open-source security improvements with human expert oversight. The 37 merged patches in one week—spanning infrastructure improvements, fuzzing harnesses, and feature additions—suggests AI-assisted security work can produce maintainer-accepted code at scale when properly triaged. The initiative's focus on patches rather than raw bug reports addresses a key complaint about AI security scanning: that it creates work for maintainers rather than reducing it. However, the true measure will be whether the pace of merged contributions sustains beyond the initial week, and whether the claimed efficiency gains hold across different types of projects and vulnerability classes.