OpenAI says GPT-5.5-Cyber scored a record 85.6% on CyberGym’s reproduction-of-known-vulnerabilities test, up from 81.8% for the standard GPT-5.5—a statistic the company pairs with new tooling and partnerships intended to move findings into fixes.
GPT-5.5-Cyber: more capable, more permissive, but tightly gated
OpenAI moved GPT-5.5-Cyber from preview to full release on June 22, describing the model as "both more capable and more permissive than its general models for authorized security work." Access is not public: the company said it will provide the model only to verified defenders through a limited release, paired with extra monitoring and controls. OpenAI reported the model showed gains in exploit writing and proof-of-concept generation tests, and said those same offensive-leaning skills are why access remains tightly gated.
Codex Security and the push from findings to fixes
The expansion of Daybreak centers on patch automation, running mainly through Codex Security — a tool that plugs into OpenAI’s Codex coding assistant to scan code, validate flaws and generate fixes for human review. Since a March preview, OpenAI said Codex Security has scanned more than 30 million commits across 30,000 codebases, with over 500,000 findings logged as fixed. OpenAI framed the effort as keeping humans in control while getting defensive tools to more organizations before attackers gain the same edge.
Patch the Planet, Trail of Bits and open-source maintenance
OpenAI launched a new open-source patching initiative, Patch the Planet, founded with Trail of Bits and others. The initiative aims Codex Security’s capabilities at open-source software by funding researchers to help maintainers fix bugs. More than 30 projects have signed up so far, the company said, including cURL, Go and Python. The program is explicitly intended to help maintainers move from vulnerability discovery to remediation.
Partner program: CrowdStrike, Sophos and Fortinet
OpenAI opened a partner program that lets security vendors build its models into their products. The company named CrowdStrike, Sophos and Fortinet among partners that can integrate the models. Separately, OpenAI said it had agreed cyber partnerships with several governments and would work with critical infrastructure operators. The firm also noted that its benchmark figures came from its own testing and that testing on real-world fixes was continuing.
What this means for security teams, open-source maintainers, and adversaries
- Security teams and technologists: Organizations that gain access to GPT-5.5-Cyber and Codex Security stand to accelerate the conversion of vulnerability findings into proposed fixes, leveraging automated scanning and patch generation for human review. However, OpenAI’s restricted-release and monitoring approach means broad access will be limited while the company manages the model’s offensive capabilities.
- Open-source maintainers and funded researchers: Patch the Planet offers a direct channel of funding and tooling aimed at reducing the maintenance burden for widely used projects; more than 30 projects, including cURL, Go and Python, have already enrolled to receive help turning findings into fixes.
- Adversaries and threat actors: OpenAI emphasized the defensive intent and controls around release, explicitly citing the model’s gains in exploit and PoC generation as reasons to gate access. The company framed its work as an effort to deliver defensive tools to organizations "before attackers gain the same edge."
OpenAI’s announcements present a software-security strategy as much about deployment controls as about capability: build stronger, faster patching tools, but limit distribution and monitor use because the same model skills that speed fixes can also speed offensive work. The firm’s own testing underpins the performance claims and the ongoing rollout — and a rival lab, Anthropic, launched a comparable bug-fixing program called Project Glasswing in April.
Whether restricted releases, partner integrations, and funded maintenance initiatives will shift the balance toward faster remediation at scale remains the immediate question open in the record OpenAI has supplied: the company says testing on real-world fixes is continuing, and its next steps will be watched closely by the defenders, maintainers and governments it has invited into the program.
