OpenAI launches Patch the Planet to help secure open-source software

OpenAI is trying to move open-source security from bug-hunting to bug-fixing, and it is putting Trail of Bits, HackerOne and Calif in the middle of that pipeline. The new Patch the Planet effort includes cURL, NATS Server, pyca/cryptography, Sigstore, aiohttp, the Go project, freenginx, Python and python.org, software that sits deep in the stack behind hospitals, utilities and government systems.

The company says the program pairs AI-assisted security research with expert human review so findings are filtered before they reach maintainers. That matters because open-source projects often carry the burden of defending code that is widely used but lightly resourced. A bug in a common library can ripple far beyond a single repository, which is why OpenAI is framing the project as a national security issue as much as a software update problem.

OpenAI said Trail of Bits committed its entire security research organization to the initial surge, while HackerOne and Calif will help with triage, coordinated disclosure and additional vulnerability discovery. Participating projects will receive ChatGPT Pro access, conditional access to Codex Security and API credits intended for open-source development, maintainer automation and release workflows. The pitch is straightforward: use AI to find flaws faster, then spend money and staff time to help patched code actually land.

The initiative also fits into a broader security strategy that OpenAI has been building for more than a year. In March 2025, the company said it had reviewed over 1,000 applications and funded 28 research initiatives through its Cybersecurity Grant Program, while raising its maximum bug bounty payout to $100,000 from $20,000. In October 2025, OpenAI introduced Aardvark, then updated it on March 6, 2026 as Codex Security, an agentic security researcher that continuously analyzes repositories, assesses exploitability, prioritizes severity and proposes targeted patches.

The unresolved question is who ultimately pays to secure the software economy everyone relies on. OpenAI is shouldering some of the cost for a selected set of projects, but the model still depends on corporate patronage, private tooling and access decisions made by one company. Patch the Planet may help close the gap between finding a flaw and fixing it, yet the scale of the open-source ecosystem means the larger bill for digital infrastructure security is still being passed around the system rather than fully absorbed by it.