On Monday OpenAI released an updated GPT‑5.5‑Cyber and rolled out a package of companion moves aimed squarely at software security: a restricted partner program, a revamped Codex Security scanner and plugin, and a "Patch the Planet" initiative for open source maintainers. The announcements arrive amid a backdrop the source describes as Anthropic’s "Mythos mess" and a broader atmosphere of FUD about AI-enabled cyberattacks — context OpenAI acknowledged while emphasizing its own engagement with defenders and U.S. officials.
GPT‑5.5‑Cyber: what OpenAI says it can do and how it was tested
OpenAI positioned the updated GPT‑5.5‑Cyber as an iteration that improves both vulnerability discovery and remediation. The company says the model "can sustain deeper analysis across large codebases: identifying security-relevant components, tracing whether vulnerable code is reachable, validating likely issues in controlled environments, developing and testing patches, and preparing evidence for human review." OpenAI previously released a preview to a select set of "trusted defenders" and on Monday published an update it says beats that preview on multiple benchmarks.
Against three named evaluation suites OpenAI reported measurable gains. On CyberGym — which tests AI systems' ability to reproduce known vulnerabilities — GPT‑5.5‑Cyber scored 85.6 percent versus 81.8 percent for GPT‑5.5. On ExploitGym, which measures conversion of vulnerabilities into exploits that achieve unauthorized code execution, the new model scored 39.5 percent compared with 25.95 percent. And on SEC-bench Pro, focused on long-horizon discovery and proof-of-concept capabilities, GPT‑5.5‑Cyber hit 69.8 percent versus 63.1 percent for GPT‑5.5.
OpenAI also said it has had "ongoing dialogue" with the US government about the model and upcoming releases — a discussion the company framed as relevant to potential export control risks.
OpenAI Daybreak Cyber Partner Program: restricted access and expansion plans
The updated GPT‑5.5‑Cyber is not broadly available. OpenAI's OpenAI Daybreak Cyber Partner Program currently includes about 30 security-vendor and service-provider partners, and only those select firms get access to the updated model. OpenAI says it plans to add more organizations to the "elite group" in the coming months.
Patch the Planet: a curated push to help open source maintainers
Patch the Planet is co-founded with Trail of Bits and launched in collaboration with HackerOne and Californian AI-powered bug hunter Calif. The effort supplies participating open source projects with ChatGPT Pro, conditional access to the Codex Security scanner, and API credits intended for core development, maintainer automation, and release workflows.
OpenAI said maintainers "define their priorities, preferences, and established disclosure processes," while Patch the Planet security researchers "manage the work end to end - validating and deduplicating both vulnerabilities and patches before they reach maintainers, significantly reducing the burden on maintainers and speeding up remediation." Trail of Bits reported that in the first week Patch the Planet uncovered hundreds of bugs, produced 64 pull requests and filed 51 issues across 19 projects.
- Named projects assisted in that initial week include cURL, NATS, pyca, Sigstore, aiohttp, the Go project, freenginx, Python and python.org, urllib3, PyPI, SimpleX, Valkey, and RustCrypto.
- More than 30 projects have joined Patch the Planet so far, and maintainers can apply to join.
The initiative highlighted two rapid automation wins: using GPT‑5.5‑Cyber to build a full-scale fuzzing lab in under a day — work that the source says would have taken human fuzzing experts two or three weeks — and using Codex to build a CVE variant analysis pipeline in less than a day.
Codex Security plugin: pipeline integration, scale, and automation metrics
OpenAI released a Codex Security plugin that it says "enables out-of-the-box defensive security workflows" and makes the scanner easier to integrate into CI/CD and developer workflows. The Codex scanner, released as a research preview in March, has scanned more than 30 million commits across more than 30,000 codebases, OpenAI said.
OpenAI reported concrete remediation metrics: human reviewers have manually marked about 70,000 findings as fixed, and AIs have auto-determined that more than 500,000 findings are fixed. The plugin can "triage and validate existing findings from scanners, advisories, bug-bounty reports, or ticketing systems, then automate patch generation at scale" and export reports to vulnerability management systems or integrate using SARIF files and CodeQL queries. OpenAI said the plugin makes these capabilities more accessible for Codex CLI pipelines or the Codex app.
What this means for open source maintainers, security vendors, and policymakers
Open source maintainers: Patch the Planet aims to reduce the burden on maintainers by validating, deduplicating, and submitting fixes; early results show dozens of pull requests and dozens of issues filed across major projects in week one. Maintainers will be watching how conditional access to tools like Codex and ChatGPT Pro fits their disclosure processes and release workflows.
Security vendors and service providers: Access to GPT‑5.5‑Cyber is currently limited to the roughly 30 members of the Daybreak program; vendors in that circle will gain early operational experience and potential competitive advantage, while other firms must await OpenAI's planned expansion of the partner roster.
Policymakers and government actors: OpenAI highlighted "ongoing dialogue" with the US government about the model and upcoming releases, and it released its updates while Anthropic's "Mythos mess" and national security concerns were explicitly cited as complicating defenders' access to advanced models from other companies.
OpenAI's announcements stitch together product updates, selective partnerships, and targeted help for open source projects. The company has published performance gains, usage and remediation metrics, and early results from a coordinated maintainer program — and pledged to expand partner access in the months ahead. Whether selective access and the wider political and security context will shape who benefits from these defensive AI tools remains the practical question implicit in the rollout.
