Skip to content
News Product launch

OpenAI expands Daybreak with GPT-5.5-Cyber full release and Patch the Planet open-source initiative

· by Pondero Newsdesk

The short version

OpenAI released GPT-5.5-Cyber to trusted defenders on June 22 and launched Patch the Planet with Trail of Bits to find and fix vulnerabilities in widely used open-source software.

OpenAI expands Daybreak with GPT-5.5-Cyber full release and Patch the Planet open-source initiative

On June 22, OpenAI moved GPT-5.5-Cyber out of limited preview and into full release for trusted defenders, and simultaneously launched Patch the Planet, a joint initiative with Trail of Bits to ship security patches, not just find vulnerabilities, in critical open-source software.

What happened

Three announcements landed at once. Per OpenAI's Daybreak page, GPT-5.5-Cyber scored 85.6% on CyberGym, a vulnerability-reproduction benchmark, versus 81.8% for standard GPT-5.5. The model is available to vetted security organizations through Daybreak's continuing limited release to trusted defenders.

The second announcement was Patch the Planet. Per OpenAI's initiative page, Trail of Bits has committed its entire security research organization to the program. Initial project participants include cURL, NATS Server, pyca/cryptography, Sigstore, aiohttp, the Go project, freenginx, Python, and python.org. More than 30 open-source projects have committed to participate in total. HackerOne and Calif are also involved, handling vulnerability triage and coordinated disclosure.

The third piece was the Daybreak Cyber Partner Program. Founding partners include Cisco, Cloudflare, CrowdStrike, IBM, Palo Alto Networks, Tenable, and Wiz. Per OpenAI, these firms gain trusted access to Daybreak's most capable models to embed into their own security products.

On the same day, Five Eyes intelligence agencies issued a joint advisory warning that frontier AI models will transform offensive cyber capabilities in months, per TechTimes reporting on the parallel timing.

What Trail of Bits found

Per OpenAI's Patch the Planet post, Trail of Bits used GPT-5.5-Cyber and Codex to build a full fuzzing lab in less than a day, a task that would ordinarily take several weeks by hand. The team found hundreds of security issues across 19 open-source projects, with dozens of patches already merged. Separately, Daybreak researchers found five exploitable Chrome V8 vulnerabilities, more than 10 WebKit flaws in Safari, and a WebAssembly bug in Firefox (CVE-2026-8390) that Mozilla patched two days before Pwn2Own Berlin. In the Linux kernel, GPT-5.5-Cyber generated 24 local privilege escalation exploits. Many findings remain under embargo.

Per OpenAI, Trail of Bits engineers manually reviewed every finding before it reached a maintainer, filtering false positives before submission. That review layer is central to the program's design: AI-generated vulnerability lists that land directly on maintainer queues can add burden rather than reduce it.

Why it matters

The shift from discovery to patch delivery is what separates this from prior vulnerability-disclosure programs. If your stack includes cURL, Go, Python, or any of the named projects, watch their security advisories over the next few weeks as coordinated disclosures complete. On the same day, per TechTimes, Five Eyes intelligence agencies issued a joint advisory warning that AI will transform offensive cyber capabilities in months. That framing gives the Daybreak expansion its urgency.

For security teams evaluating AI-assisted tooling, GPT-5.5-Cyber's full release signals OpenAI considers the model production-ready for vetted defender use. The 3.8-point CyberGym gap over standard GPT-5.5 is modest; the expanded permissiveness for security research is the more relevant detail.

What to watch next

The first Patch the Planet disclosures are the near-term signal. OpenAI said it plans deeper technical reports as fixes land and coordinated disclosures complete. Any confirmed high-severity CVEs from the Linux kernel or browser findings that are still under embargo would mark a concrete capability milestone for AI-assisted vulnerability research. The question of whether GPT-5.5-Cyber eventually becomes a commercial product for enterprise security teams, separate from the current Daybreak trusted-defender track, remains open.

Sources