OpenAI announced a flurry of cybersecurity-related AI news on Monday, releasing an improved version of GPT‑5.5‑Cyber, its most advanced vulnerability-finding model, along with an expanded partner program for cybersecurity vendors, an update to its Codex Security scanner⁠, and an initiative to “Patch the Planet” – or at least 30 high-profile open source projects. The announcements come as Anthropic’s Mythos mess keeps getting more complicated, with national security concerns clouding defenders’ abilities to use that AI company’s most advanced models to find and fix vulnerabilities – or perhaps it’s just politics as usual. They also coincide with a general feeling of FUD around AI cyberattacks and the impending vulnpocalype. The Reg’s vultures will keep out collective eyes on all of this. First off: GPT‑5.5‑Cyber. After releasing a preview version of the model to a select group of “trusted defenders,” OpenAI on Monday released an update that it says makes the model even better at finding – and also fixing – bugs in code. “It is our strongest model yet for finding and helping patch software vulnerabilities, while retaining GPT‑5.5’s general-purpose intelligence and ability to work across long, complex tasks,” the AI shop said. “The model can sustain deeper analysis across large codebases: identifying security-relevant components, tracing whether vulnerable code is reachable, validating likely issues in controlled environments, developing and testing patches, and preparing evidence for human review.” OpenAI said it evaluated the update and 5.5 preview using a few different benchmarks: CyberGym, which test how well AI systems can reproduce known vulnerabilities; ExploitGym, which determines how well models can turn known vulnerabilities into working exploits that achieve unauthorized code execution; and SEC-bench Pro, which measures AI systems’ long-horizon vulnerability discovery and proof-of-concept generation capabilities. The updated version 5.5 outperformed the preview model in all three tests, we’re told. On CyberGym, the updated GPT‑5.5‑Cyber reached 85.6 percent success, compared with 81.8 percent for GPT‑5.5. On ExploitGym, it outperformed the earlier model 39.5 percent versus 25.95 percent. And on SEC-bench Pro, GPT‑5.5‑Cyber hit 69.8 percent, compared with 63.1 percent for GPT‑5.5. Plus, OpenAI assures everyone that it’s had “ongoing dialogue” with the US government, including about its latest model plus upcoming releases, so hopefully that insulates the company against any surprise export controls. OpenAI also expanded its partner program. The OpenAI Daybreak Cyber Partner Program currently has about 30 security-vendor and service-provider partners, and only these select firms get to use the updated GPT‑5.5‑Cyber model. OpenAI says it plans to add more organizations to the elite group “in the coming months.” FOSS flaw-finding Also on Monday, OpenAI announced Patch the Planet, an initiative to help open source project maintainers find and patch vulnerabilities. This initiative, co-founded with Trail of Bits and launched in collaboration with HackerOne and AI-powered bug hunting outfit Calif, provides participating open source projects with ChatGPT Pro, conditional access to its Codex Security scanner, and API credits for core development, maintainer automation, and release workflows. “Maintainers define their priorities, preferences, and established disclosure processes,” according to OpenAI. “Patch the Planet security researchers then manage the work end to end - validating and deduplicating both vulnerabilities and patches before they reach maintainers, significantly reducing the burden on maintainers and speeding up remediation.” Trail of Bits reports that in the first week alone, Patch the Planet uncovered hundreds of bugs, and generated 64 pull requests with 51 issues filed across 19 projects. The 19 projects Patch the Planet assists includes cURL, NATS, pyca, Sigstore, aiohttp, the Go project, freenginx, Python and python.org, urllib3, PyPI, SimpleX, Valkey, and RustCrypto. More than 30 projects have joined so far, and project maintainers can apply to join the initiative. Some of the initiative’s highlights from the week include using GPT-5.5-Cyber to build a full-scale fuzzing lab in under a day – an effort we’re told would have take human fuzzing experts two or three weeks to do manually. Patch the Planet also used Codex to build a CVE variant analysis pipeline. This also took less than a day to complete. Speaking of Codex: OpenAI on Monday released a Codex Security plugin⁠ that the company says “enables out-of-the-box defensive security workflows,” allowing developers to integrate Codex into their workflows and CI/CD pipelines. The scanner, which was released as a research preview in March, has so far scanned more than 30 million commits across more than 30,000 codebases, according to OpenAI. Of these, human reviewers have manually marked about 70,000 findings as fixed, and AIs have auto-determined that more than 500,000 findings are fixed. In addition to performing automated scans and reviewing code changes, the new plugin can “triage and validate existing findings from scanners, advisories, bug-bounty reports, or ticketing systems, then automate patch generation at scale to quickly close a backlog of vulnerabilities,” OpenAI said. After it completes a scan, the AI coding agent can export reports to existing vulnerability management systems or integrate into tools with SARIF files and CodeQL queries. “The plugin makes these capabilities much more accessible to support automated pipelines with Codex CLI or integrate into developer workflows in the Codex app,” according to OpenAI. ®

Source link