OpenAI announces the "Fix the Earth" project, providing cybersecurity support to 19 well-known open-source projects including cURL, Python, and PyPI.

OpenAI Announces the “Patch the Planet” Program, Partnering with cybersecurity firm Trail of Bits; in the first week alone, hundreds of security vulnerabilities were discovered, 64 pull requests were submitted, and 51 issues were opened—spanning 19 global core open-source projects including cURL, Python, and PyPI.
(Background: Getty Images Spikes 300% Before Market Open! Signs a Partnership and Licensing Rights with OpenAI for Stock Photos to Enter ChatGPT)
(Additional background: After the U.S. government “banned” it and ordered the removal of Anthropic’s Fable model, foreign media point to three major concerns: fear that it may boost China’s open-source AI)

Table of Contents

Toggle

• cURL, Python, PyPI: Why These Projects?
• The Ghost of log4j, and a New Approach with AI
• OpenAI’s PR and Strategic Positioning

In 1995, the protagonist of the hacker movie Hackers shouted “Hack the Planet,” a declaration against corporate control of the internet. Thirty years later, OpenAI changed that slogan to “Patch the Planet”—the same rhyme, but in a completely opposite direction.

cURL, Python, PyPI: Why These Projects?

The partners behind “Patch the Planet” include the cybersecurity firm Trail of Bits, the vulnerability rewards platform HackerOne, and Calif. OpenAI provides two tools: Codex Security, and the updated GPT-5.5-Cyber.

The 19 open-source projects that benefited in the first wave already make the point very clearly: cURL, Python, PyPI, urllib3, aiohttp, Go project, freenginx, NATS, pyca, Sigstore, SimpleX, Valkey, RustCrypto, and python.org, among others. These are not niche tools; they’re the infrastructure of the entire modern internet. cURL is estimated to be installed on more than 20 billion devices worldwide, and Python is one of the most widely used programming languages globally…

Choosing these targets means that for every vulnerability found by AI, the impact may not be limited to hundreds of users—it could affect hundreds of millions of systems.

Resources OpenAI provided to participants include: ChatGPT Pro access, Codex Security privileged access, API credits, and a complete set of security infrastructure fuzzing harnesses (in simple terms, test frameworks that automatically feed random inputs into programs to force hidden bugs to surface), a historical CVE analysis pipeline, a differential testing system, threat models, and expanded testing suites.

The Ghost of log4j, and a New Approach with AI

In December 2021, the log4j vulnerability incident shook the entire tech industry. Apache log4j is one of the most widely used logging tools in the Java ecosystem. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) called it “one of the most severe vulnerabilities ever.” The root of the problem wasn’t that the technology was too complicated—it was that there simply wasn’t enough manpower to systematically audit every project that depended on it.

The cybersecurity predicament of the open-source ecosystem is, at its core, a manpower issue: in the world, there are hundreds of thousands of open-source packages, and maintainers often have only one or two people—making it nearly impossible to conduct a complete security audit of all code. Vulnerabilities are often discovered only years after they first appear, and those who find them are not necessarily well-intentioned white-hat researchers.

This is the structural issue “Patch the Planet” is trying to address. AI’s advantage isn’t finding a one-of-a-kind genius-level vulnerability—it’s the ability to scan vast code repositories continuously at a density that human teams simply can’t sustain. The positioning of GPT-5.5-Cyber and Codex Security is closer to “an automated security auditing worker” than “a hacker smarter than humans.”

This positioning matters: if AI only finds a vulnerability occasionally, it’s just a tool. But if it can keep operating at this speed week after week, it will start changing the security assumptions across the entire open-source ecosystem.

OpenAI’s PR and Strategic Positioning

The capabilities of AI cybersecurity tools and the capabilities of AI used for attacks are essentially the same set of technologies. GPT-5.5-Cyber, which can identify vulnerabilities, could theoretically also be used to exploit them. OpenAI’s decision to package this capability as “patching the open-source world” is a proactive PR and strategic positioning—it’s saying: “We’re going to use this capability to do the right things first, and we’re doing it faster than anyone else.”

As the old saying goes: the real security moat of cybersecurity has never been about whether you know vulnerabilities—it’s about how fast you can find them, and then patch the holes before bad actors can use them.