OpenAI targets software vulnerabilities with GPT-5.5-Cyber and Codex Security

Updated developer workflows can validate findings and generate patches, while OpenAI’s advanced cyber model remains restricted to trusted defenders.

OpenAI has expanded its Daybreak cybersecurity program with an updated Codex Security plugin, the full version of GPT-5.5-Cyber under a limited release, a partner program for security providers, and an initiative supporting vulnerability fixes across more than 30 open-source projects.

The additions are intended for developers, enterprise security teams, approved cyber defenders, software vendors, open-source maintainers, and critical infrastructure operators. OpenAI says the program is shifting its focus from identifying vulnerabilities to validating problems, producing and testing patches, coordinating disclosure, and helping organizations deploy fixes.

Codex Security now provides security workflows inside Codex, including codebase scans, threat modeling, attack-path analysis, validation evidence, remediation guidance, and code-specific patch generation. Human reviewers retain control over which findings are investigated, which changes are applied, and what information is shared.

GPT-5.5-Cyber is being released through continued restricted access for verified defenders carrying out authorized cybersecurity work. OpenAI reports that the model outperformed the standard GPT-5.5 model across three cyber benchmarks, although the supplied announcement does not include independent replication of those results.

The OpenAI Daybreak Cyber Partner Program will make selected defensive capabilities available through products and services from more than 20 security businesses. Separately, Patch the Planet will work with researchers and maintainers to review and fix vulnerabilities affecting widely used open-source software.

Codex Security moves from alerts into patch generation

The updated Codex Security plugin can scan an entire codebase, a selected section, or an individual change or commit.

Developers can use it to produce reports containing severity ratings, affected code locations, supporting evidence, and remediation guidance. It can also review recent changes, trace possible attack paths, create threat models, validate existing findings, and generate patches for human review.

Codex Security can process findings from vulnerability scanners, security advisories, bug bounty reports, and internal ticketing systems. Results can be exported to existing vulnerability management systems or integrated into development workflows using SARIF files and CodeQL queries.

The plugin is also intended to help teams prevent new security flaws from reaching production by reviewing changes while software is being developed.

Sidharth Sharma, who leads go-to-market activity for OpenAI in Asia-Pacific, wrote on LinkedIn: "Cyber is quickly moving up the priority list for every enterprise. The focus now should be practical: securing code as it’s written, patching vulnerabilities faster and protecting the software supply chain."

OpenAI says Codex Security has scanned more than 30 million commits across over 30,000 codebases since the cloud version entered research preview in March.

Human reviewers have marked more than 70,000 findings as fixed, while OpenAI says over 500,000 findings were automatically determined to have been resolved.

The announcement does not provide a false-positive rate, the proportion of generated patches accepted by developers, or a comparison with other commercial security tools. OpenAI has also not disclosed public pricing for the updated plugin.

GPT-5.5-Cyber remains limited to verified defenders

OpenAI describes GPT-5.5-Cyber as its most capable model for advanced, authorized cybersecurity work.

The full version follows an initial preview designed to reduce unnecessary refusals during specialist defensive tasks. OpenAI says the updated model can analyze large codebases, identify security-relevant components, assess whether vulnerable code is reachable, test patches, and prepare evidence for human reviewers.

Access remains limited rather than generally available. OpenAI says GPT-5.5-Cyber is intended for verified defenders whose work requires advanced cyber capabilities and more permissive model behavior, supported by stronger verification, monitoring, scoped controls, and review.

For most defensive users, OpenAI recommends the standard GPT-5.5 model combined with Trusted Access for Cyber and Codex Security.

On CyberGym, a benchmark measuring whether an AI agent can reproduce known software vulnerabilities, OpenAI reports that GPT-5.5-Cyber scored 85.6 percent. The standard GPT-5.5 model scored 81.8 percent.

GPT-5.5-Cyber also recorded 39.5 percent on ExploitGym, compared with 25.95 percent for GPT-5.5. The benchmark tests whether agents can turn documented vulnerabilities into working exploits in controlled environments.

On SEC-bench Pro, which evaluates longer vulnerability discovery and proof-of-concept tasks across complex software targets, OpenAI reports scores of 69.8 percent for GPT-5.5-Cyber and 63.1 percent for GPT-5.5.

The figures are company-reported benchmark results rather than evidence of performance across all enterprise software environments. OpenAI says it is continuing to evaluate the model across complex repositories and remediation workflows as coordinated vulnerability disclosures are completed.

The organization is also working with the United States Center for AI Standards and Innovation on pre-deployment testing for GPT-5.5 and GPT-5.5-Cyber. Discussions also involve the Office of the National Cyber Director and the Office of Science and Technology Policy.

Partner program and open-source initiative widen access

The OpenAI Daybreak Cyber Partner Program allows participating security providers to use GPT-5.5 with Trusted Access for Cyber within their own products and services.

Direct model access remains with the approved partner rather than passing to every end customer.

The initial group includes Accenture, Akamai, Cisco, Cloudflare, CrowdStrike, Darktrace, IBM, NCC Group, Palo Alto Networks, Sophos, Trend AI, Wiz, and Zscaler, alongside other cybersecurity and professional services organizations.

OpenAI says it will work with participating companies on safeguards, monitoring, and abuse-prevention standards. The partner group is expected to expand over the coming months.

Patch the Planet addresses vulnerabilities in open-source software. OpenAI founded the initiative with Trail of Bits and is working with HackerOne, Calif, security researchers, and project maintainers.

More than 30 open-source projects have committed to participate. Initial projects include cURL, Go, Python, Sigstore, and pyca/cryptography.

Researchers will work directly with maintainers to identify priorities, follow existing disclosure processes, validate vulnerabilities, remove duplicate reports, and review proposed fixes before sending them to project teams.

Participating projects will receive ChatGPT Pro, conditional access to Codex Security, and application programming interface credits for development, automation, and release workflows.

OpenAI reports that an initial five-day sprint across several projects identified hundreds of issues for review and resulted in dozens of merged patches, with further fixes still in development. The announcement does not provide a project-by-project breakdown or independent assessment of the patches.

OpenAI says: "Finding vulnerabilities is important, but it’s landing the fix that protects the world, and that takes collaboration and community support."

The Daybreak expansion also covers government and critical infrastructure partnerships. OpenAI says it has established Trusted Access for Cyber relationships with Australia, Canada, France, Germany, Japan, the Republic of Korea, and European Union institutions including the European Union Agency for Cybersecurity.

OpenAI is also working with the UK government on cyber testing and evaluation. Its next phase will include direct work with eligible critical infrastructure operators and further expansion of the partner program, while the first group of more than 30 open-source projects moves through Patch the Planet.