Open Source · JUNE 23, 2026
OpenAI ships full GPT-5.5-Cyber at 85.6% CyberGym, opens Patch the Planet with Trail of Bits across 19 projects
The Daybreak expansion pairs a permissive-only preview's full release — 85.6% CyberGym, 39.5% ExploitGym — with an open-source remediation sprint that merged dozens of patches across cURL, Python, and the Linux kernel in its opening week.
OpenAI on June 22 promoted GPT-5.5-Cyber out of its permissive-only preview, gated the production model behind a Trusted Access for Cyber program, and bolted on a Trail of Bits-led open-source remediation sprint called Patch the Planet that's already pushed 64 pull requests and 51 issues into 19 upstream projects in its first week.
The benchmark numbers are the easy part of the story. GPT-5.5-Cyber posts 85.6% on CyberGym against 81.8% for the standard model, and 39.5% on ExploitGym against 25.95%. SEC-bench Pro figures accompany the release. The harder part is that OpenAI is no longer shipping a defensive frontier model as a pure capability announcement. It's shipping the model with the cleanup operation pre-attached, which is something the industry hasn't really done before.
Patch the Planet's launch roster reads as a deliberate sampling of the dependency graph everyone actually uses: cURL, Python and python.org, the Go project, pyca/cryptography, aiohttp, Sigstore, NATS Server, freenginx. OpenAI claims dozens of patches merged. Trail of Bits says the first-week haul includes hundreds of discovered bugs across 19 projects, with more than 30 committed to participate via HackerOne coordination.
The framing leans on a Linux Foundation and Harvard finding the company keeps citing: in 94% of widely used projects, fewer than 10 developers are responsible for over 90% of code added in a year. The maintainer-burnout argument has been a Washington talking point since Log4Shell. Daybreak is the first time a frontier lab has paid for both halves of it.
The vulnerability disclosures attached to the launch are doing work the press release can't. The Linux kernel analysis spanned more than 30 million lines of code and produced 8 kernel pointer information-leak PoCs and 24 local privilege-escalation exploits. FreeBSD yielded 34 vulnerabilities and 7 LPE PoCs. There were 6 dnsmasq bugs, 5 exploitable V8 bugs in Chrome, more than 10 WebKit findings, an HTTP/2 Bomb DoS technique affecting NGINX, Apache, IIS, and Pingora, a 23-year-old use-after-free in OpenBSD's System V semaphore implementation, and a 29-year-old Squid proxy flaw now tracked as CVE-2026-47729, dubbed Squidbleed.
Then there's the Pwn2Own data point. Two days before Pwn2Own Berlin, Mozilla patched CVE-2026-8390 after coordinating with OpenAI. Five of six registered Firefox entries withdrew. A defensive model quietly evaporating a competition bracket is the kind of result the offensive-research community will be arguing about for a year.
Trail of Bits buries the actual tell in its post. Using Codex /goal runs, the firm built a full fuzzing lab with a dozen entry-point harnesses in under a day. Their estimate for a human fuzzing expert: two to three weeks. The Daybreak Cyber Partner Program, with Accenture, Cisco, CrowdStrike, IBM, Okta, Palo Alto Networks, and Wiz as launch partners, is the commercial wrapper. The fuzzing lab is the thesis.
Sources
- Daybreak: Tools for securing every organization in the world
- Patch the Planet: a Daybreak initiative to support open source maintainers
- Introducing Patch the Planet (Trail of Bits)
- OpenAI Expands Daybreak With GPT-5.5-Cyber (The Hacker News)
- OpenAI expands Daybreak with Patch the Planet and full GPT-5.5-Cyber release (SiliconANGLE)