OpenAI just automated vulnerability discovery across Linux, Python, and cURL. Your patch cycle is now the attack surface.

OpenAI dropped GPT-5.5-Cyber and "Patch the Planet" on June 22.

The model scored 85.6% on CyberGym.

The human benchmark is lower.

Trail of Bits used it to scan critical open-source infrastructure your enterprise depends on.

What they found in the first sprint:

8 kernel pointer leaks in Linux.
24 local privilege escalation exploits in Linux.
A 23-year-old use-after-free in OpenBSD that gives unprivileged users root.
34 vulnerabilities in FreeBSD.
4 dnsmasq CVEs before the maintainer even knew.
An HTTP/2 Bomb affecting 880,000 internet-facing servers running NGINX, Apache, IIS, and Pingora.
5 exploitable Chrome V8 bugs.
10+ Safari WebKit vulnerabilities.
A Firefox WebAssembly defect patched 2 days before Pwn2Own.

Codex Security has now scanned 30 million commits across 30,000 codebases.

Human reviewers marked 70,000 findings as fixed.

The bottleneck is no longer finding vulnerabilities.

It is patching them before attackers weaponize the same models to find the same flaws.

The Canadian Centre for Cyber Security said it plainly: organizations should assume AI-driven exploitation will outpace vendors' ability to publish patches.

Your CISO's patch cycle just became a race against machine-speed discovery.

Audit your vulnerability management SLA today.

If your critical infrastructure patch window is measured in weeks, you are already behind.

SOURCE: https://thehackernews.com/2026/06/openai-expands-daybreak-with-gpt-55.html
VERIFIED: OpenAI blog (June 22), The Hacker News (June 23), Trail of Bits (June 22), Developer Tech (June 23)
SIGNAL: AI-powered vulnerability discovery just industrialized. Every enterprise running open-source dependencies is now exposed to a new class of automated attack that traditional patching cadences cannot match.