OpenAI has announced the release of an updated GPT-5.5-Cyber model for trusted security professionals as part of the Daybreak initiative, as well as the launch of the Patch the Planet program together with Trail of Bits to protect critical open-source projects. The initiative covers projects such as cURL, Python, Go, Sigstore and freenginx, and is aimed at addressing a growing problem: AI models are finding vulnerabilities faster than maintainers can fix them. At the same time, intelligence agencies from five countries warn that advanced AI models are compressing the window between vulnerability discovery and exploitation down to months.
GPT-5.5-Cyber and the Codex Security update
According to OpenAI, GPT-5.5-Cyber is positioned as “the most powerful model for finding and helping remediate software vulnerabilities.” The company claims the model can perform deep analysis of large codebases, identify security issues, validate them in a controlled environment, and design and test patches. It should be noted that these capability claims come from the vendor itself and have not yet been confirmed by independent benchmarks.
In parallel, an updated version of the Codex Security plugin has been released, which, according to OpenAI, provides:
- Deep code scanning and analysis of recent changes
- Report generation with severity ratings, affected code sections, and remediation recommendations
- Threat modeling and attack-path tracing
- Validation of results from scanners, recommendations, bug bounty reports, and ticketing systems
- Bulk patch generation to accelerate the closure of accumulated vulnerabilities
Patch the Planet: protecting open source
The Patch the Planet program is designed to reduce the burden on maintainers of open-source projects. Within the initiative, security engineers review and validate findings, work with projects to develop patches and tests, and create reusable workflows for vulnerability discovery.
Among the first participants in the program are: cURL, NATS Server, pyca/cryptography, Sigstore, aiohttp, the Go project, freenginx, Python and python.org. The participant list has been published by OpenAI; independent confirmation from each individual project in open sources has not yet been provided.
Vulnerabilities discovered under Daybreak
OpenAI reports that the Daybreak initiative has already led to the discovery of a number of vulnerabilities in operating systems and browsers. Confirmed findings include:
- 8 kernel pointer-leak PoC exploits and 24 privilege-escalation exploits in the Linux kernel
- A 23-year-old use-after-free bug in the System V semaphore implementation in the OpenBSD kernel
- 34 vulnerabilities and 7 privilege-escalation PoCs in FreeBSD
- 6 vulnerabilities in dnsmasq, including CVE-2026-4890, CVE-2026-4891, CVE-2026-4892 and CVE-2026-5172
- A WebAssembly vulnerability in Mozilla Firefox — CVE-2026-8390
Of particular note is CVE-2026-47729 (Squidbleed) — a 29-year-old vulnerability in the Squid web proxy that reportedly allows interception of other users’ plaintext HTTP requests under certain conditions. The existence of this CVE is confirmed by an entry in the NVD.
Important caveat: the quantitative data on vulnerabilities in Linux, FreeBSD and a number of other products is based on the project’s own publication and has not been confirmed by independent sources. The exploitation status is at the level of available PoCs; no confirmed active exploitation in the wild has been recorded at this time.
Context: AI as an accelerator for both sides
The launch of Daybreak and Patch the Planet comes amid growing pressure from government regulators. In guidance published in May 2026, the Canadian Centre for Cyber Security explicitly warned that threat actors with limited technical expertise are already using publicly available AI models for malicious purposes. Organizations are advised to assume that AI-assisted exploitation can bypass preventive controls and significantly outpace vendors’ ability to release fixes.
Intelligence agencies from Australia, Canada, New Zealand, the United Kingdom and the United States, in a joint statement via the NCSC, emphasized that advanced AI models are capable of fundamentally transforming both offensive and defensive cyber capabilities, and that “the time horizon is measured not in years, but in months.”
This creates a paradoxical situation: the same technology that helps defenders find vulnerabilities also lowers the barrier to entry for attackers. The emergence of so-called “vibe-coded exploits” — where AI is used to rapidly generate exploits based on fresh disclosures — further compresses the response window.
Impact assessment and recommendations
Maintainers of open-source projects that underpin modern infrastructure are at the greatest risk. Projects such as cURL, Python and Go are used in millions of systems, and any unresolved vulnerability in them has a cascading effect. Organizations that depend on the components mentioned — dnsmasq, Squid, FreeBSD — should assess their exposure to the discovered vulnerabilities.
Practical steps:
- Check for updates for dnsmasq (CVE-2026-4890, CVE-2026-4891, CVE-2026-4892, CVE-2026-5172), Squid (CVE-2026-47729) and Firefox (CVE-2026-8390)
- Organizations using OpenBSD should apply the fix for the use-after-free in the System V semaphore implementation
- Maintainers of open-source projects should consider participating in Patch the Planet to obtain resources for validation and remediation of vulnerabilities
- Integrate AI-based vulnerability discovery tools into existing processes, while maintaining human oversight over patching decisions
- Revisit internal SLAs for vulnerability remediation, taking into account the shrinking exploitation window
OpenAI’s initiatives represent a significant shift: from a model in which AI only finds vulnerabilities to a closed loop of “discovery — validation — patch — testing — deployment.” However, the key question remains open — how effective this model will be in practice and whether mass AI-driven discovery will create a new wave of “noise” for maintainers. Organizations using the affected components should already be checking whether the published CVEs apply to their infrastructure and prioritizing the installation of available fixes, without waiting for exploits to appear in the wild.
