Trail of Bits Launches 'Patch the Planet': 64 Pull Requests and 51 Issues Filed Against 19 Critical Open-Source Projects in One Week

Trail of Bits has unveiled Patch the Planet, a novel week-long initiative that pairs its security engineers with cutting-edge AI models—specifically OpenAI's GPT-5.5-Cyber under its Daybreak partnership—to conduct systematic security audits and produce actionable patches for critical open-source projects. In just the first week, the effort generated 64 pull requests and 51 issues across 19 projects including cURL, NATS, pyca, Sigstore, aiohttp, Go, freenginx, Python, urllib3, PyPI, SimpleX, Valkey, and RustCrypto. Of those, 37 patches have already been merged by maintainers. The initiative is a direct response to the growing firehose of AI-generated security findings that overwhelm volunteer maintainers: rather than simply filing bug reports and walking away, Trail of Bits engineers triage, patch, and test each finding alongside the project's maintainers.

The technical output goes beyond simple bug fixes. Contributions include new fuzzing harnesses, continuous integration security scanning, supply-chain tooling, correctness fixes, and features that maintainers had long planned. At python.org, for example, the team added a CI workflow based on Trail of Bits' own zizmor GitHub Actions auditor, fixed all flagged issues, and integrated the scanner into the project's release infrastructure. In RustCrypto, they contributed correctness fixes to the big-integer library underpinning higher-level cryptography, along with features such as serde encoding support and HPKE DHKEM suite IDs. Other patches addressed storage-accounting and service-restart bugs in SimpleX, improved admin-quarantine confirmation in PyPI's Warehouse, and added SBOM sidecars for Python's Windows artifacts.

The initiative also demonstrated the offensive capabilities of frontier models in a live setting. Given the goal of finding remotely exploitable bugs in one of the most-reviewed C libraries in history, GPT-5.5-Cyber chose not to waste tokens reading the source code. Instead, it built a complete fuzzing lab in under a day: set up sanitizer and variant builds, generated a seed corpus from existing tests, and constructed harnesses across a dozen entry points. The model even injected operating system backpressure into the harness to reach previously unexplored buggy states. Trail of Bits estimates the same effort would have taken one of its fuzzing experts two to three weeks to complete manually.

Another pipeline built in a single day performed variant analysis on historical CVEs. Using Codex's /goal feature combined with GPT-5.5-Cyber, the system produced a pipeline that generated novel issues with almost exclusively high-signal output. This kind of automated variant analysis could become a powerful tool for proactively finding regression-like bugs in newly updated code.

Beyond the sheer volume of patches, the project introduced a monitoring bot named Patchy that tracks every project, posts findings and merged patches to Slack, and adds a touch of whimsy by describing bugs with goblins and gremlins. When a patch lands, Patchy celebrates with a triumphant "PATCHY HAPPY," which the team says is their real driving force. The public tally undercounts the work, as several projects receive reports through private channels like HackerOne and GitHub security advisories; those findings are still under coordinated disclosure.

Over 30 projects have now joined the initiative, and Trail of Bits is actively expanding. The effort represents a significant step toward making AI-assisted security auditing practical and responsible—moving from noise-generating bug dumps to a maintainer-friendly model where experts handle the full lifecycle of discovery, triage, patch creation, and upstreaming. As frontier models continue to accelerate the pace of vulnerability discovery, initiatives like Patch the Planet may become a necessary bridge between AI finding bugs and humans fixing them.