AI Patched Firefox Before Pwn2Own - OpenAI's Security Pivot

Five of six teams that had registered Firefox exploits for Pwn2Own Berlin withdrew their entries two days before the contest. Their bug had already been patched.

The vulnerability was CVE-2026-8390, a use-after-free in Firefox's JavaScript/WebAssembly engine. Mozilla fixed it in Firefox 150.0.3. The patch came because GPT-5.5-Cyber found the flaw first and flagged it to Mozilla through OpenAI's Daybreak initiative, which launched in May as OpenAI's dedicated cybersecurity program.

That sequence is the sharpest demonstration yet of the argument OpenAI is making with Patch the Planet - that AI-assisted security research can outpace the exploit economy when paired with fast disclosure.

What GPT-5.5-Cyber Actually Is

GPT-5.5-Cyber is a restricted fine-tune of GPT-5.5 built for offensive and defensive security research. It isn't available to general subscribers. Access requires applying to OpenAI's Trusted Access for Cyber program, showing defensive intent, and meeting criteria that OpenAI hasn't made fully public. The model's weights aren't released.

The 3.8 percentage point CyberGym gain over base GPT-5.5 is meaningful in a domain where small capability differences translate directly into finding exploitable bugs versus missing them. The benchmark, developed by security researchers specifically to assess AI on real-world vulnerability discovery, tests against categories that standard coding benchmarks don't reach: binary analysis, kernel exploitation, web application flaws, and chained privilege escalation.

The Firefox CVE and the broader browser findings - five exploitable bugs in Chrome's V8 engine and more than ten in WebKit - came from Daybreak research using GPT-5.5-Cyber. Patch the Planet, which launched with the GPT-5.5-Cyber announcement, is a separate program with a narrower scope and different mechanics.

How Patch the Planet Works

The program pairs GPT-5.5-Cyber with Trail of Bits security engineers working directly on open source projects. Every AI-generated finding goes through full human review before it reaches a maintainer. Trail of Bits described the bottleneck accurately: the expensive part of the process has shifted from finding bugs to validating severity, writing patches maintainers will actually accept, and handling coordinated disclosure.

OpenAI built the program around that constraint deliberately. Research showed that 94% of widely used open source projects have fewer than ten developers responsible for more than 90% of their code contributions in any year. Sending those teams unreviewed AI-produced bug lists would create more problems than it solves. The human-in-the-loop structure is a design choice, not a limitation.

Trail of Bits rolled out its entire security research team for the five-day Patch the Planet launch sprint, reviewing every AI-generated finding before disclosure. Source: unsplash.com

The First Five Days

Trail of Bits launched its entire security research organization across 19 projects in the program's first sprint. The result: 64 pull requests, 51 issues filed, 37 patches merged.

Among the findings:

• aiohttp saw eight security fixes merged in hours, covering cookie scope handling, digest credential validation, and resource limit enforcement
• pyca/cryptography had an AES-GCM vulnerability surfaced through differential testing
• python.org had its release infrastructure improved and an authorization gap in its release pipeline closed
• RustCrypto received correctness fixes to a big-integer library used across dozens of downstream packages

Over 30 projects have since committed to participate, including cURL, the Go project, Python, Sigstore, and urllib3.

What the Broader Daybreak Research Found

The kernel findings are harder to dismiss. GPT-5.5-Cyber's research beyond the Patch the Planet sprint identified eight kernel pointer information-leak proofs-of-concept and 24 local privilege escalation exploits in the Linux kernel. In FreeBSD, it found 34 vulnerabilities including seven LPE proofs-of-concept. In OpenBSD, a use-after-free in the System V semaphore implementation that had sat undetected for more than two decades, allowing an unprivileged local user to escalate to root.

Linux kernel LPE exploits are among the most valuable primitives in offensive security. Finding 24 in a single research pass, with Trail of Bits review before disclosure, compresses what previously required months of specialized research into a much shorter window.

Codex Security, the broader scanning platform running in parallel, had by March scanned more than 30 million commits across 30,000+ codebases. Human reviewers had marked more than 70,000 findings as fixed.

OpenAI's Daybreak Cyber Partner Program includes Cisco, CrowdStrike, IBM, Palo Alto Networks, Okta, Wiz, and Accenture at launch. Source: unsplash.com

The Commercial and Geopolitical Layer

Patch the Planet is the public-facing piece. Below it sits the Daybreak Cyber Partner Program, which allows security vendors to integrate GPT-5.5 into commercial products. Launch partners include Accenture, Cisco, CrowdStrike, IBM, Okta, Palo Alto Networks, and Wiz.

OpenAI has also expanded Trusted Access to seven governments - Australia, Canada, France, Germany, Japan, South Korea, and EU institutions. National cyber agencies in those countries now have access to GPT-5.5-Cyber under the vetted-defender framework. The Five Eyes warnings about AI-powered attacks arriving within months give those partnerships urgency beyond the marketing.

Anthropic launched Project Glasswing in May with $100 million committed to defensive AI security research, using Mythos-class models under similar access restrictions. Both programs are making the same structural bet: that AI capability in security is advancing fast enough that the question isn't whether to deploy it, but whether defenders can deploy it faster than attackers.

What It Does Not Tell You

The Firefox/Pwn2Own story is compelling. It's also the best-case scenario. OpenAI hasn't disclosed GPT-5.5-Cyber's false-positive rate on CyberGym. A 85.6% pass rate means 14.4% of flagged items aren't real findings, and in a high-volume scanning context that's a lot of engineer time spent on dead ends. The Trail of Bits full-review requirement addresses this, but it scales with headcount - the sprint worked because Trail of Bits committed its entire research team for a week.

Project selection also matters. The first sprint covered projects with existing maintainer relationships with Trail of Bits and HackerOne. cURL, Python, and the Go project maintainers are not representative of the long tail of abandoned or minimally maintained packages that make up most real supply chain risk. The hardest code to audit won't be first in line.

There's also the dual-use question that GPT-5.5's broader security capabilities raised when it launched in April. OpenAI is betting that keeping GPT-5.5-Cyber behind a vetted-access wall solves the offensive risk. That was the same logic applied to Mythos before Anthropic's export control complications made the theory harder to test. Access controls work until they don't.

The Pwn2Own withdrawal is a concrete outcome, not a benchmark. Five teams spent months building an exploit that no longer exists because an AI found it first. The question is whether that repeats at scale or remains a highlight reel. The answer depends on what happens in sprint two, and sprint twenty, when Trail of Bits isn't committing its entire team and the projects are less familiar.

Sources:

• Patch the Planet - OpenAI
• Introducing Patch the Planet - Trail of Bits Blog
• OpenAI expands Daybreak with Patch the Planet - SiliconAngle
• CVE-2026-8390 - GitHub Advisory Database
• Mozilla Security Advisory mfsa2026-45
• OpenAI launches Patch the Planet - TechCrunch
• AI Finds Kernel Flaws - QuantumZeitgeist