OpenAI launches new initiative to help find and patch open source bugs

OpenAI announced a new initiative on Monday designed to help the open source community up its cybersecurity game and fend off bugs.

“Patch the Planet” (which is a not-so-subtle allusion to “Hack the planet”, the iconic tagline from the 1995 film “Hackers”, sees OpenAI team up with the security company Trace of bits to help open source maintainers secure their projects.

OpenAI said Trail of Bits security personnel will work directly with open source maintainers to assess potential code issues. OpenAI’s security tools – such as Codex Security – will be used to assist in the process.

“Many administrators are already being asked to search more reports faster, with the same limited time and resources,” OpenAI said Monday. “Patch the Planet is built to reduce that burden, not add to it: security engineers review findings before they reach administrators, work with projects to develop patches and tests, and build reusable workflows that help teams continue to improve security after the first fixes land.”

In other words, Trail of Bits’ engineers will function more or less like code EMTs: they’re there to help maintainers of open source projects identify and assess potential problems, all supported by OpenAI’s software. It sounds like an ambitious project, and it’s somewhat unclear how it will function in the long term, or how it plans to scale (if at all).

Open source projects are the digital foundation upon which the commercial software industry rests, but unfortunately, due to the decentralized and poorly controlled structure of that ecosystem, much of the software is insecure. Bugs in open source projects can become major problems for commercial codebases. The log4j debacle from several years ago – when a serious vulnerability was discovered in a widely used open source utility – is a good example.

Much of the concern around tools like Mythos (Anthropic’s much-discussed security tool) seems to stem from the fact that AI can now automatically identify existing bugs in codebases and create exploits for them. While the automation of cybercrime is not new, these tools undoubtedly have the potential to make it significantly more useful for bad actors.

OpenAI turns that formula on its head by using AI to help the open source community better protect itself. It’s hard not to read it as a competitive swipe at Anthropic, while also recognizing that it’s something the open source community desperately needs.