OpenAI has expanded its Daybreak cybersecurity initiative to help organizations identify and patch vulnerable software faster using AI. The company says its models have already discovered and generated patches for critical vulnerabilities affecting major web browsers, network infrastructure, and operating systems, including FreeBSD and the Linux kernel.
The expansion introduces an updated Codex Security plugin, the full version of GPT-5.5-Cyber, the Daybreak Cyber Partner Program, and Patch the Planet.
AI shifts focus from finding flaws to fixing them
OpenAI says AI has accelerated vulnerability discovery, making remediation the new challenge for security teams. While AI can analyze large codebases, trace attack paths, and uncover vulnerabilities more efficiently, organizations still need to validate findings, assess risk, test patches, coordinate disclosure, and deploy fixes.
According to the company, Daybreak combines OpenAI’s AI models, Trusted Access for Cyber, Codex Security workflows, and ecosystem partners to help approved defenders validate vulnerabilities, prioritize risk, generate and test fixes, and integrate remediation into existing development and security workflows with governance and human oversight.
Codex Security update
OpenAI has updated the Codex Security plugin based on internal deployments and customer feedback. The company says the plugin is designed to accelerate vulnerability remediation while helping prevent new vulnerabilities from reaching production.
Key capabilities include:
- Deep security scans across codebases or recent code changes.
- Threat model creation, reachability analysis, and attack path tracing.
- Validation evidence, remediation guidance, and code-specific patch generation.
- Triage of findings from scanners, advisories, bug bounty reports, and ticketing systems.
- Export through SARIF, CodeQL, Codex CLI, the Codex app, and existing vulnerability management platforms.
Since entering research preview in March, Codex Security Cloud has scanned more than 30 million commits across 30,000+ codebases. Human reviewers have confirmed more than 70,000 findings as fixed, while the platform has automatically verified over 500,000 additional fixes. OpenAI says developers remain responsible for deciding which findings to investigate and which patches to deploy.
GPT-5.5-Cyber
OpenAI has also released the full version of GPT-5.5-Cyber through its limited Trusted Access for Cyber program. Following an earlier permissive-only preview, the model is designed for advanced, authorized cybersecurity work while retaining GPT-5.5’s general reasoning capabilities.
According to OpenAI, GPT-5.5-Cyber can analyze repositories, identify security-sensitive components, determine whether vulnerable code is reachable, validate findings, develop and test patches, and prepare evidence for human review.
The company reported the following benchmark results:
- CyberGym: 85.6% (vs. 81.8% for GPT-5.5)
- ExploitGym: 39.5% (vs. 25.95%)
- SEC-bench Pro: 69.8% (vs. 63.1%)
OpenAI says the CyberGym score is its highest recorded for a single model. The company is also evaluating GPT-5.5-Cyber on real-world remediation workflows and says GPT-5.5 together with Codex Security has already helped identify and validate vulnerabilities in Firefox, V8, Safari, OpenBSD, FreeBSD, and HTTP/2 implementations.
GPT-5.5 remains the recommended starting point for most defensive security workflows, while GPT-5.5-Cyber is intended for verified defenders requiring more advanced capabilities.
Daybreak Cyber Partner Program
OpenAI has launched the Daybreak Cyber Partner Program to extend its cybersecurity capabilities through security software vendors and service providers. Participating partners can integrate GPT-5.5 with Trusted Access for Cyber into their products and services, allowing customers to use AI-powered defensive capabilities while direct model access remains with trusted partners.
OpenAI says it will continue working with partners to strengthen safeguards, monitoring, and abuse-prevention standards as the program expands.
Patch the Planet
OpenAI has also introduced Patch the Planet, an initiative founded with Trail of Bits in collaboration with HackerOne and Calif to help widely used open-source projects move from vulnerability findings to verified fixes. More than 30 open-source projects have committed to participate, including cURL, Go, Python, Sigstore, and pyca/cryptography.
The initiative brings together researchers, maintainers, enterprises, and partners to support remediation through governance and human oversight. Citing research from the Linux Foundation and Harvard University, OpenAI says 94% of widely used open-source projects have fewer than 10 developers responsible for more than 90% of the code added in a year, making it difficult to manage the growing volume of AI-assisted vulnerability reports.
Researchers work with maintainers to define project priorities and disclosure processes before validating and deduplicating findings, developing and testing patches, and coordinating remediation. Participating projects receive:
- ChatGPT Pro
- Conditional access to Codex Security
- API credits for development, maintainer automation, and release workflows
OpenAI says an initial five-day sprint surfaced hundreds of issues for review, merged dozens of patches, and produced reusable fuzzing, variant analysis, differential testing, and specification-based testing workflows.
Government collaboration
OpenAI says it continues to work with governments and institutions to strengthen defensive cybersecurity capabilities. The company has collaborated with the U.S. government, including the Center for AI Standards and Innovation (CAISI), the Office of the National Cyber Director (ONCD), and the Office of Science and Technology Policy (OSTP), on GPT-5.5 and GPT-5.5-Cyber testing, implementation of the recent Executive Order, and related industry standards.
Trusted Access for Cyber partnerships have also been established with Australia, Canada, France, Germany, Japan, the Republic of Korea, and European Union institutions including ENISA, alongside ongoing collaboration with the UK government.
OpenAI says it plans to develop safeguards for government networks and other critical infrastructure operators while working with enterprise customers and trusted partners to incorporate system-specific context and identifiers into its cybersecurity safeguards.
Availability
OpenAI says organizations can use Daybreak to identify, validate, prioritize, and remediate software vulnerabilities across the software they build and operate.
Developers and maintainers can use Codex Security on code they own, while security partners can integrate GPT-5.5 with Trusted Access for Cyber into their products and services through the Daybreak Cyber Partner Program.
GPT-5.5-Cyber continues to be available through OpenAI’s limited Trusted Access for Cyber program for verified defenders requiring its most advanced cybersecurity capabilities.