The race to rescue open-source
OpenAI just announced Patch the Planet - the effort to find, review, and patch vulnerabilities in open source.
They partner with Trail of Bits (core) HackerOne and Calif to do vulnerability discovery, triage, and coordinated disclosure.
The teams built blueprints, including a reusable pipeline for finding variants of known vulnerabilities. It ingests historical CVEs, extracts relevant vulnerability patterns, searches target codebases for related flaws, and sends candidate findings through specialized judging agents.
They also used Codex to test software against the specified behaviors. Codex developed threat models, attack taxonomies, invariant tests, and property-based tests grounded in project specifications and RFCs.
Key findings so far:
- Linux Kernel - 8 kernel pointer information leak PoCs and 24 local privilege escalation exploits
- A 23-year-old use-after-free in OpenBSD's kernel implementation of System V semaphores
- FreeBSD - 34 vulnerabilities and 7 local privilege escalation PoCs
- dnsmasq: four CVEs
- HTTP/2 Bomb
- a number of issues in Chrome, Safari, and Firefox.
My take:
- The impressive part is not that AI finds bugs. We know it. It's how frontier labs and security companies form partnerships to secure critical infrastructure.
- Interesting timing. Chainguard announced Athena, the industry coalition to protect open source software from AI attacks on June 15 and named Daybreak as a contributor. A week later, OpenAI launches its own end-to-end program that runs discovery, validation, and patching direct with maintainers.
- The real contest is over (1) who becomes the vulnerability clearing house and for (2) the place in the development and security stack of the most critical infra projects. The great benefit is that just in a few month, we'll have systematically less vulnerabilities in the most critical open-source.
What a great Monday!