AI writes the bug and the patch: who reviews the reviewer?

On June 22, 2026, OpenAI expanded its Daybreak cybersecurity program by shipping GPT-5.5-Cyber in full release alongside an initiative called Patch the Planet, co-founded with Trail of Bits and HackerOne. In its first week, the program filed 64 pull requests, merged 37 patches, and filed 51 issues across 19 projects including cURL, Python, Go, pyca/cryptography, and Sigstore. The same model class that surfaces a vulnerability now writes the fix and submits the PR. That closes the loop , and removes every independent check that used to sit between discovery and merge.

The bottleneck moved from finding to fixing#

For years the hard part of security work was finding bugs. Models changed that. SiliconAngle reported that OpenAI now says its models find vulnerabilities faster than defenders can fix them, leaving security teams buried in reports. The new constraint is patch velocity, not discovery rate.

Trail of Bits described GPT-5.5-Cyber building a full fuzzing lab in under a day for one of the most-reviewed C libraries in existence , sanitizer builds, seed corpus from existing tests, harnesses across a dozen entry points. Their estimate: the equivalent manual effort would have taken a fuzzing expert two to three weeks. That compression is real. It also means the volume of findings arriving at any given maintainer's inbox is going to keep rising regardless of this particular program.

The numbers behind the dependency problem#

OpenAI cited Linux Foundation and Harvard research finding that 94% of widely used projects had fewer than 10 developers responsible for more than 90% of the code added in a year. That is the actual maintenance surface for libraries running inside billions of production systems. Throwing more AI-generated bug reports at teams that small produces a bigger backlog, not better security , which is the stated rationale for having Trail of Bits engineers triage before any finding reaches a maintainer.

GPT-5.5-Cyber scored 85.6% on CyberGym (up from 81.8% for standard GPT-5.5) and 39.5% on ExploitGym, the benchmark for turning a known vulnerability into working code execution. That second number deserves a moment. The same capability that lets a defender confirm a finding is real is the capability that lets an attacker build an exploit. OpenAI gates GPT-5.5-Cyber behind a Trusted Access for Cyber program; the general release version is the milder GPT-5.5. The strongest tool is not for sale , you get vetted for it.

The closed-loop problem#

Patch the Planet's design includes a human review step: a Trail of Bits security engineer checks every finding before it reaches a project maintainer. That is a meaningful friction point. But it is one organization's engineers, working at speed, using the same model family to validate findings that the same model family produced.

Trail of Bits noted that false-positive filtering and severity correction are the hard problems. Without project-specific threat models and severity criteria, models default to rating everything critical. The aiohttp case is instructive: maintainers merged all eight reported fixes within hours of disclosure, seven of them inside a single five-hour window, which is fast and impressive, but it also illustrates how quickly AI-generated patches move into production code once the triage step passes.

Codex Security has scanned more than 30 million commits across more than 30,000 codebases since its March 2026 research preview, with human reviewers marking more than 70,000 findings as fixed. At that scale, the quality of the review layer matters as much as the quality of the detection layer.

What this means for your dependency graph#

If your stack includes cURL, Python, Go, urllib3, or pyca/cryptography , and most production stacks include at least one , your SBOM now contains AI-authored patches. That is not an argument against the patches; several appear to be genuine improvements, including new fuzzing harnesses and CI scanning at python.org. It is an argument for flagging them in your own review pipeline.

An AI-written patch that fixes the disclosed vulnerability while subtly altering adjacent behavior is not a hypothetical risk. It is the same class of problem that makes any automated code change worth treating as a first-class review object rather than a rubber stamp. The 13-step verification process Hyrax runs before submitting any PR exists precisely because fast generation and correct generation are different properties.

The structural question underneath#

Patch the Planet is probably net positive for open-source security in aggregate. More maintainers get patched code, reusable testing infrastructure, and expert triage they could not otherwise afford. OpenAI found a 23-year-old use-after-free flaw in OpenBSD's kernel. Mozilla patched a WebAssembly flaw found with GPT-5.5 two days before Pwn2Own Berlin.

The structural question is not whether the patches are good. Most appear to be. The question is what review capacity exists between an AI-generated patch and a merge into code that runs everywhere. Trail of Bits engineers provide that capacity for Patch the Planet participants. For the rest of the dependency graph , the projects not in the program, and the teams consuming packages that are , that review gap is real and belongs to whoever runs the downstream codebase.

Hyrax sits exactly in that gap: it reads the entire codebase, applies six agent domains including security, runs 13 verification steps, and submits the PR. The user merges. Nothing auto-merges. That sequence does not change because the upstream fix came from a frontier model.

Hyrax is live at hyrax.dev.