OpenAI wants AI to fix vulnerabilities, not just find them

OpenAI expanded Daybreak, its cybersecurity initiative that combines AI models, Codex Security, security researchers, maintainers, industry partners, and access controls to support vulnerability discovery and remediation. Organizations can use the initiative to identify, validate, and fix software vulnerabilities, while developers, maintainers, and security teams can use its tools to strengthen defensive security capabilities.

Codex Security scan (Source: OpenAI)

Codex Security targets remediation bottlenecks

Advances in vulnerability discovery are exposing more issues, increasing the pressure on teams responsible for fixing them.

OpenAI launched the Codex Security cloud research preview in March. Since then, it has scanned more than 30 million commits across 30,000 codebases, and more than 500,000 findings have been automatically determined to be fixed.

The platform understands a team’s codebase and threat model, or creates one when needed. It identifies plausible vulnerabilities, determines whether affected code is reachable, gathers evidence to support validation, develops targeted patches, and verifies results. Human operators remain in control of which findings to investigate, which changes to apply, and what information to share.

With the updated Codex Security plugin, developers can run deep scans or review recent changes in repositories, pull requests, and local code, generate reports that include severity ratings, affected code locations, validation evidence, and remediation guidance, trace attack paths, build threat models, validate findings, and generate codebase-specific patches for review.

“The plugin can also triage and validate existing findings from scanners, advisories, bug bounty reports, or ticketing systems, then automate patch generation at scale to help reduce vulnerability backlogs. When Codex Security completes a scan, it can export findings to an existing vulnerability management system or integrate with other tools through SARIF files, CodeQL queries, and more. The plugin makes these capabilities more accessible for automated pipelines using Codex CLI and for developer workflows in the Codex app,” the company said.

GPT-5.5-Cyber gains new security capabilities

OpenAI’s initial preview of GPT-5.5-Cyber, which remains available to verified defenders whose authorized work requires OpenAI’s most advanced cyber capabilities, focused on reducing unnecessary refusals in specialized workflows. The model can identify security-relevant components, determine whether code is reachable, validate likely issues in controlled environments, develop and test patches, and prepare evidence for human review.

GPT-5.5-Cyber outperformed GPT-5.5 on the CyberGym, ExploitGym, and SEC-bench Pro security benchmarks, scoring 85.6%, 39.5%, and 69.8%, respectively.

“We are continuing to evaluate the model’s performance on complex repositories and real remediation workflows as coordinated disclosures conclude,” OpenAI added.

OpenAI launches cyber partner program

OpenAI launched the OpenAI Daybreak Cyber Partner Program, which allows participating security vendors to integrate GPT-5.5 with Trusted Access for Cyber into customer-facing products and services.

Trusted Access for Cyber provides access to advanced cyber capabilities alongside additional safeguards, monitoring, and verification measures.

The company said it plans to expand the program to additional organizations in the coming months.

Patch the Planet supports open-source security

OpenAI launched the Patch the Planet initiative with Trail of Bits and in collaboration with HackerOne and CALIF. It funds security researchers and equips them with Codex Security and advanced AI models to work with open-source maintainers.

The initiative combines AI-assisted vulnerability discovery with expert human review to reduce false positives and ease the burden on software maintainers.

OpenAI security researchers work with open-source maintainers to validate vulnerabilities, remove duplicate reports, and verify patches before submission. Participating projects receive ChatGPT Pro, API credits, and conditional access to Codex Security.

According to OpenAI, an initial five-day sprint identified hundreds of potential issues, led to dozens of merged fixes, and produced reusable testing workflows to support future vulnerability discovery and remediation.

The company is working with governments and institutions worldwide strengthen cybersecurity defenses and protect critical infrastructure.

“We plan to work directly with eligible operators of critical infrastructure, including government networks, to develop safeguards tailored to the systems they operate. The focus of this work is to make advanced AI more useful to defenders while making it harder for malicious actors to cause real-world harm,” the company said.

OpenAI plans to work with enterprise customers and partners to strengthen cybersecurity safeguards and help prevent attacks targeting critical services.