devtake.dev

OpenAI is now using GPT-5.5 to find and patch open-source bugs at scale

OpenAI's Daybreak push pairs the new GPT-5.5 default model with GPT-5.5-Cyber, a tool that finds, validates, and patches software flaws. Here's what it does and the catch.

Dieter Morelli · · 7 min read · 6 sources
Illustration for OpenAI's Daybreak security program and the GPT-5.5-Cyber model
Image: thehackernews.com · Source

OpenAI just turned its newest model loose on the world’s broken code. On June 22 the company expanded Daybreak, its cybersecurity program, with the full release of GPT-5.5-Cyber, a new Codex Security plugin, and an open-source patching effort called Patch the Planet. The pitch on the tin is enormous: “tools for securing every organization in the world.”

That lands two months after GPT-5.5 itself shipped and became the default brain inside ChatGPT. So the same week most people are getting a smarter chatbot by default, OpenAI is also pitching that model’s security-tuned cousin as a way to fix software at internet scale. If you maintain code, ship code, or just run code that other people wrote, which is everyone, the second story is the one that actually changes your week.

What GPT-5.5 changed first

Start with the consumer side, because that’s the model you’re already talking to. OpenAI released GPT-5.5 on April 23, and GPT-5.5 Instant has since rolled out as the default model in ChatGPT, replacing the previous Instant model for free and paid users alike. It’s faster, more personalized, and tuned for the kind of everyday back-and-forth that makes up most of ChatGPT’s traffic.

The framing from OpenAI’s leadership was deliberately big. President and co-founder Greg Brockman called it “a real step forward towards the kind of computing that we expect in the future,” while adding the rare caveat that “it is one step, and we expect to see many in the future.” Brockman also used the launch to describe a “super app” strategy, fusing ChatGPT, the Codex coding agent, and an in-house AI browser into one enterprise product. That’s the commercial arc. Daybreak is the part of it pointed at security, and it’s the more interesting half.

What Daybreak actually is

Daybreak is OpenAI’s name for its whole defensive security stack, and GPT-5.5-Cyber is the engine inside it. Per OpenAI’s own description, the model can sustain deeper analysis across large codebases, spot a likely flaw, reproduce it in a controlled environment to confirm it’s real, then write and test a patch. The selling point is the full loop, not just the bug report. OpenAI frames the shift as moving “from finding bugs to landing fixes,” which is the part open-source maintainers have always been short on.

The numbers behind it are concrete. GPT-5.5-Cyber hit 85.6% on CyberGym, a benchmark that tests whether an agent can reproduce known vulnerabilities, against 81.8% for the standard GPT-5.5. It also posted 39.5% on ExploitGym (up from 25.95%) and 69.8% on SEC-bench Pro (up from 63.1%). OpenAI says that CyberGym result is the highest single-model score it has measured. Benchmarks aren’t the field, and a lab grading its own model deserves a raised eyebrow, but the gap between the cyber variant and the base model is the signal that matters here.

Three pieces sit on top of the model. The Codex Security plugin drops security workflows straight into the Codex coding interface, so a developer can go from threat modeling to a verified fix without leaving the tool. OpenAI says Codex has scanned more than 30 million commits across 30,000-plus codebases since a March preview, with human reviewers marking over 70,000 findings as fixed. Trusted Access for Cyber is the gate: the full GPT-5.5-Cyber model is restricted to vetted defenders, and being inside the program reduces the automated safety refusals that would otherwise block legitimate offensive-security tasks like writing a proof-of-concept exploit. Patch the Planet is the open-source arm, which I’ll come back to.

Who it’s for, and who it isn’t

This is the line that keeps Daybreak from being a free-for-all. The general public gets GPT-5.5 Instant in ChatGPT. The vulnerability-hunting model is fenced off. Access to the full GPT-5.5-Cyber runs through Trusted Access for Cyber, aimed at verified defenders working on authorized cybersecurity tasks, not anyone with a credit card and an API key.

OpenAI also lined up a partner program so security vendors can wire GPT-5.5 into their own products through that same gated access. The launch partners read like a who’s-who of the industry: Accenture, Cisco, CrowdStrike, IBM, Okta, Palo Alto Networks, and Wiz, according to SiliconANGLE. OpenAI says it has also signed cooperation agreements with Australia, Canada, France, Germany, Japan, South Korea, and EU institutions. The shape of the rollout tells you OpenAI knows exactly how dangerous a fully open version would be.

Patch the Planet is the part aimed at the rest of us by proxy. OpenAI founded it with security firm Trail of Bits, in collaboration with HackerOne, to fund researchers who work directly with open-source maintainers. More than 30 projects have signed on, with early participants including cURL, the Go project, Python, Sigstore, and pyca/cryptography. An initial five-day sprint, OpenAI says, surfaced hundreds of issues and merged dozens of patches. The early haul is the eye-opener: 8 kernel pointer information-leak proofs and 24 local privilege-escalation exploits in the Linux kernel, a 23-year-old use-after-free in OpenBSD’s kernel, 34 vulnerabilities in FreeBSD, and 6 in dnsmasq.

The catch nobody can patch away

Here’s the part that should make you slow down. The same model that finds and fixes a memory-corruption bug is, by definition, a machine for finding memory-corruption bugs. Discovery is the hard part of an attack; weaponizing a known flaw is comparatively easy. A tool that’s genuinely good at the first half is dual-use no matter what label OpenAI puts on it. That’s the whole reason the full model lives behind Trusted Access for Cyber instead of in the API everyone can hit.

The defense rests on two human-shaped backstops, and both can bend. OpenAI says a human security engineer reviews every Patch the Planet finding before it reaches a maintainer, and Trail of Bits engineers validate issues and coordinate disclosure. That’s the right call, because an AI bug-hunter at scale also produces noise at scale. A flood of low-quality or hallucinated vulnerability reports is already a real problem for open-source maintainers, who don’t have the staffing to triage a firehose of plausible-looking RCE claims that turn out to be nothing. Human review is the safeguard against false positives drowning the very people Patch the Planet says it’s helping. It’s also the bottleneck that decides whether this scales or just shifts the burden.

Then there’s the offense-versus-defense math. The optimistic read is that defenders, who have to find every bug, gain more from automation than attackers, who only need one. The pessimistic read is that whoever has the better model wins, and the best models are expensive, gated, and not evenly distributed. OpenAI’s access controls assume that today’s gate holds and that no comparably capable open-weight model leaks the same capability to everyone tomorrow. Anthropic is pushing a parallel pitch with its own security-focused Claude Mythos cyberdefenders work, and the open-weight labs are not far behind. Gates are a snapshot, not a guarantee.

What this means for you

If you maintain open source, this is the most consequential change. Expect more, and better-sourced, vulnerability reports, but also expect that the volume could swamp you if the human-review promise slips. Ask any program contacting you whether a real engineer validated the finding before it hit your inbox, and treat unvetted AI reports the way you’d treat any drive-by bug claim. If you’re a developer who ships code, the Codex Security plugin is the piece you can actually touch today, and it’s worth a pilot on a non-critical repo to see whether its fixes hold up under your own tests, not OpenAI’s benchmarks. And if you’re just a ChatGPT user, the model answering you now is GPT-5.5 Instant, not the cyber variant, so the security story isn’t about your chats. The thing to watch over the next quarter is simple: whether the gated-access model stays gated, and whether the first open-weight model that matches GPT-5.5-Cyber arrives before anyone’s figured out what to do about it.

Share this article

Quick reference

GPT-5.5-Cyber
OpenAI's security-tuned variant of GPT-5.5, restricted to vetted defenders, built to find, validate, and help patch software vulnerabilities.
RCE
Remote code execution: an attacker runs arbitrary code on the target machine, the worst class of bug.
CyberGym
A security benchmark that measures whether an AI agent can reproduce known software vulnerabilities across real codebases.

Sources

Frequently Asked

What is Daybreak in one sentence?
It's OpenAI's cybersecurity program, tagged 'tools for securing every organization in the world,' built around GPT-5.5-Cyber for finding and fixing software vulnerabilities.
Can anyone use GPT-5.5-Cyber?
No. The full model is restricted to vetted defenders through OpenAI's Trusted Access for Cyber program, which dials back the automated refusals that block defensive security work.
Does the AI patch bugs on its own without humans?
Not for open source. OpenAI says a human security engineer reviews every Patch the Planet finding before it reaches a project maintainer, and Trail of Bits engineers validate issues.
What is the dual-use worry?
The same capabilities that find and fix a flaw can find and weaponize it. A vulnerability-discovery engine helps defenders and attackers alike, which is why access is gated.
How is this different from GPT-5.5 Instant becoming the default?
GPT-5.5 Instant is the consumer model now answering most ChatGPT prompts. GPT-5.5-Cyber is a separate, restricted variant tuned for security research.

Mentioned in this article