OpenAI's AI Now Hunts Bugs in the Code We All Use

OpenAI and security firm Trail of Bits launched 'Patch the Planet' on June 22 — an initiative that uses AI to find vulnerabilities in open source software before bad actors do. The tool doing the scanning is Codex Security, OpenAI's system trained to read code for security flaws.

The process is deliberate, not fully automated. Trail of Bits security engineers use Codex Security to scan open source codebases, then manually review every finding before it goes anywhere near a project's maintainers. The team works alongside maintainers — not just dropping a list of problems in their inbox — to develop actual patches and write tests that prevent the same class of bug from returning. They also build reusable workflows so projects can keep catching similar issues on their own long after the initial audit.

The 'not adding to the burden' framing matters here. Open source maintainers already get flooded with low-quality automated security reports. A volunteer who keeps a widely-used library running in their spare time doesn't need another inbox full of unvetted scanner output — they need someone to show up with a working fix. Patch the Planet is built around that reality.

Why this matters for every builder

If you build anything — a web app, an API, an AI-powered tool — you almost certainly depend on open source libraries you didn't write and rarely inspect. Authentication, encryption, data parsing, HTTP clients: these often come from someone's volunteer project. When Log4j, a widely-used Java logging library, was found to have a critical vulnerability in 2021, it exposed hundreds of millions of devices worldwide. The flaw had been sitting quietly in the codebase for years before anyone caught it.

That risk doesn't go away by ignoring it. A vulnerability in a library you depend on becomes your vulnerability — your users are the ones exposed. Patch the Planet doesn't solve the whole problem, but it moves the needle: AI can read through a large codebase in the time a human security auditor would spend on the first few files, flagging patterns and edge cases that are easy to miss after hour six of the same review. This is AI being useful not just for writing new code, but for auditing the existing code the world already runs on.