OpenAI launches Patch the Planet to fix open-source vulnerability debt

Read the original article →

What happened

OpenAI launched Patch the Planet on June 22, a coordinated disclosure program run with Trail of Bits, HackerOne, and other partners. Every AI-generated finding is manually reviewed and deduplicated by Trail of Bits before it reaches a maintainer.

More than 30 open-source projects have joined, including cURL, Go, Python, Sigstore, and aiohttp. An initial five-day sprint produced hundreds of reviewed findings and dozens of merged patches.

Why it matters

AI can generate bug reports faster than volunteers can triage them, and research cited by OpenAI found that 94% of widely used projects have fewer than 10 core developers. Unfiltered AI reports could bury those maintainers.

Mandatory human review before disclosure is the key design choice. It treats maintainer attention as the scarce resource, not the model's output.

MintedBrain take

The review-first structure is the part worth copying. Any team pointing AI at security research should filter and deduplicate findings before sending them to whoever has to act on them.

References

Discussion

  • Loading…

← Back to News