The Human-in-the-Loop Security Model

'Patch the Planet' is a collaborative initiative between OpenAI and Trail of Bits designed to strengthen open-source software by integrating AI-assisted research with expert human oversight. The core philosophy is to reduce, rather than increase, the workload for maintainers.

Security engineers act as a critical filter: they review all AI-generated findings, reproduce evidence, remove duplicates, and assess severity before any report reaches a maintainer. This ensures that maintainers only interact with high-signal, actionable data. Maintainers retain full agency over the remediation process, including patch development and disclosure timelines.

AI-Driven Security Workflows

The initiative utilizes frontier models (GPT-5.5-Cyber) and Codex Security to compress security engineering timelines from weeks to days. Key reusable workflows include:

  • Automated Fuzzing Labs: Engineers use goal-oriented prompts to build fuzzing infrastructure covering dozens of entry points and test seeds. This setup, which previously took weeks, is now achievable in under a day.
  • Historical CVE Variant Analysis: An end-to-end pipeline ingests historical CVEs, extracts vulnerability patterns, and searches target codebases for similar flaws. Specialized judging agents filter false positives and deduplicate results before human review.
  • Differential Testing: By using AI to generate shim and glue code, teams can fuzz multiple implementations of the same protocol against one another to identify behavioral divergences that signal bugs.
  • Specification-Grounded Testing: Models are used to develop threat models, attack taxonomies, and invariant tests based on RFCs and project documentation, resulting in improved test suites and CI/CD pipelines.

Impact on Critical Infrastructure

The project focuses on foundational software—including the Linux Kernel, OpenBSD, FreeBSD, and various networking tools—where security improvements provide broad downstream benefits. Early results have been significant:

  • Linux Kernel: Identified hundreds of issues, including 24 local privilege escalation (LPE) exploits.
  • Browsers: Found and reported over 10 exploitable vulnerabilities in Safari and five in Chrome's V8 engine within short timeframes.
  • Network Security: Independently identified patterns corresponding to four dnsmasq CVEs and discovered the 'HTTP/2 Bomb' denial-of-service technique affecting major server software like NGINX and Apache.