OpenAI GPT-5.5-Cyber and Patch the Planet: AI That Fixes Code Vulnerabilities Automatically
- OpenAI launched GPT-5.5-Cyber on June 22 2026, a model trained on a decade of CVEs that patches 92% of OWASP Top 10 vulnerabilities within five minutes.
- The Patch the Planet initiative, co-founded with Trail of Bits, gives participating open-source projects free access — initial recipients include cURL, Python, and the Go project.
- Commercial API pricing starts at $0.04 per patch generation call, not the standard per-million-token model; open-source use is free.
- Access is restricted to verified security defenders today, with a US critical-infrastructure beta planned for August 2026 and global availability targeting Q4 2026.
On June 22, 2026, OpenAI expanded its Daybreak security program with the full release of GPT-5.5-Cyber — a purpose-built model trained specifically on vulnerability detection and automated patching. Alongside it came "Patch the Planet," a co-initiative with security firm Trail of Bits aimed at hardening widely-used open-source software at scale. The combination marks one of the clearest examples yet of a frontier lab shipping a purpose-built specialist model rather than stretching a general-purpose one.
What GPT-5.5-Cyber Can Do
Unlike general-purpose language models, GPT-5.5-Cyber was trained on a decade of CVEs, bug bounty reports, and private vulnerability databases. Given a vulnerable codebase, it generates production-ready patches in C, C#, Rust, Python, and JavaScript — complete with unit tests and regression analysis.
OpenAI reports the model correctly fixes 92% of OWASP Top 10 vulnerabilities and 78% of memory-safety bugs in Windows kernel drivers within five minutes, according to early internal benchmarks. These are significant numbers if they hold under independent review. The OWASP Top 10 covers the most commonly exploited web application flaws, and kernel memory-safety bugs are notoriously resistant to automated tooling.
Patch the Planet: Who Gets In
The Patch the Planet program pairs GPT-5.5-Cyber with funded support for open-source maintainers. OpenAI and Trail of Bits are co-funding the initiative, with HackerOne also involved through its bug-bounty network.
Initial participants include cURL, the Go project, Python and python.org, Sigstore, NATS Server, aiohttp, freenginx, and pyca/cryptography. Accepted projects receive ChatGPT Pro access, conditional Codex Security access, and API credits at no cost.
The rollout follows a staged timeline: a limited beta for US critical infrastructure launches in August 2026, with global API availability targeting Q4 2026.
Pricing and Access Restrictions
The pricing structure departs from OpenAI's standard per-token model:
- Open-source projects: free, via the Patch the Planet application process
- Commercial API: starting at $0.04 per patch generation call
GPT-5.5-Cyber is not accessible through the standard OpenAI API. Access is currently restricted to "verified, trusted defenders" — a deliberate choice given a model this capable at finding vulnerabilities carries obvious dual-use risk if released broadly.
For context, standard GPT-5.5 costs $5.00 per million input tokens and $30.00 per million output tokens. For security-specific workloads, the per-patch pricing could end up cheaper at scale depending on average context length, but developers who don't qualify as verified defenders cannot access it regardless of willingness to pay.
The Specialization Trend
GPT-5.5-Cyber is the sharpest example so far of a broader pattern: AI labs shipping narrow specialists alongside their general-purpose flagships. Kimi K2.7 Code targets tool-use accuracy; DeepSeek V4 Flash reset low-cost agent economics at $0.28 per million output tokens; Gemini 3.5 Flash was optimized for speed and cost efficiency at scale.
For developers, this means benchmark rankings matter less than task fit. A model that tops a general reasoning leaderboard may underperform on a specific security or code task compared to a purpose-built alternative. Testing multiple models on the same query — not just defaulting to the highest-ranked one — is increasingly the practical approach. That's the premise behind multi-model tools like ByteChat, where you can route the same question to several models at once and compare directly.
The Catch
The restricted access is the real limitation for most developers today. Unless your project qualifies for Patch the Planet or you're an approved defender, you cannot use GPT-5.5-Cyber via the API regardless of budget. The Q4 global availability target is also a moving window — staged rollouts of sensitive models tend to slip.
There is also a harder question OpenAI hasn't fully answered: once this capability is widely available, the line between "find and fix" and "find and exploit" depends entirely on the intent of the user. Restricting access now buys time to develop guardrails, but it doesn't resolve the tension permanently.
Specialized AI that can outperform senior engineers on specific tasks is arriving faster than the access and governance frameworks meant to contain it.
Frequently Asked Questions
What is GPT-5.5-Cyber and how does it differ from GPT-5.5?
GPT-5.5-Cyber is a specialized OpenAI model trained on CVE databases, bug bounty data, and vulnerability research to detect and patch code security flaws automatically. It is separate from GPT-5.5, which is a general-purpose model, and is not available through the standard OpenAI API.
How much does GPT-5.5-Cyber cost to use?
Commercial access starts at $0.04 per patch generation call. Open-source projects accepted into the Patch the Planet initiative receive access free of charge.
When will GPT-5.5-Cyber be available to all developers?
As of June 2026, access is limited to verified security defenders and approved open-source projects. A beta for US critical infrastructure is scheduled for August 2026, with global API availability targeting Q4 2026.