OpenAI Launches Full-Scale Effort to Patch Open-Source Bugs as It Takes on Anthropic’s Mythos
OpenAI Launches Full-Scale Effort to Patch Open-Source Bugs as It Takes on Anthropic’s Mythos
OpenAI 启动全面计划修复开源漏洞,直面 Anthropic 的 Mythos 竞争
As fears about AI hacking capabilities grow, OpenAI on Monday made a slew of cybersecurity-focused announcements, including an improved version of its limited-access security-specialized model GPT-5.5-Cyber, expanded international work with governments and other institutions to give them “trusted access” to the company’s latest cybersecurity-focused models, and releasing its Codex Security scanner as an app plug-in.
随着人们对人工智能黑客能力的担忧日益加剧,OpenAI 周一发布了一系列以网络安全为重点的公告,包括其限制访问的安全专用模型 GPT-5.5-Cyber 的改进版本,扩大了与各国政府及其他机构的国际合作,为其提供对公司最新网络安全模型的“可信访问”,并将其 Codex Security 扫描器作为应用程序插件发布。
As advances across the AI industry leave critical open-source projects at increasing risk of falling behind, though, the company also said on Monday that it is launching an effort known as Patch the Planet, founded with the prominent research-focused security firm Trail of Bits and in collaboration with vulnerability management firms HackerOne and Calif.
然而,随着人工智能行业的进步使关键开源项目面临越来越大的落后风险,该公司周一还表示,正在启动一项名为“Patch the Planet”的计划。该计划由 OpenAI 与著名的研究型安全公司 Trail of Bits 共同创立,并与漏洞管理公司 HackerOne 和 Calif 合作开展。
The project has already begun its work offering free security consulting services to open source maintainers to not only help them find and patch vulnerabilities, but also support them in strengthening their code bases and incorporating AI security tools into their development process. The idea is to give individualized support to as many open-source projects as possible to improve both their current security and long-term resilience in a way that will actually be sustainable.
该项目已经开始为开源维护者提供免费的安全咨询服务,不仅帮助他们发现和修复漏洞,还支持他们加强代码库,并将人工智能安全工具整合到开发流程中。其理念是为尽可能多的开源项目提供个性化支持,以切实可持续的方式提高其当前的安全性和长期韧性。
“Patch the Planet is an internet-scale effort to help open-source software get ahead of AI bug-hunting tools,” says Trail of Bits CEO and cofounder Dan Guido. “But it’s also an effort to help the open-source community see the benefits and not just the downsides of AI coding tools.”
“‘Patch the Planet’是一项互联网规模的努力,旨在帮助开源软件领先于人工智能漏洞挖掘工具,”Trail of Bits 首席执行官兼联合创始人 Dan Guido 表示,“但这也是为了帮助开源社区看到人工智能编码工具的益处,而不仅仅是其弊端。”
Open-source developers—typically volunteers keeping critical and widely used software afloat with few resources—are often already struggling to keep up with bug reports. The rise of AI vulnerability hunting in recent months has, for many maintainers, made that backlog feel insurmountable as AI-generated slop reports stack up, making it difficult to prioritize and pulling already limited time and attention away from critical flaws.
开源开发者——通常是仅靠少量资源维持关键且广泛使用的软件运行的志愿者——往往已经在努力应对堆积如山的漏洞报告。近几个月来,人工智能漏洞挖掘的兴起让许多维护者感到积压的工作难以逾越,因为人工智能生成的垃圾报告不断堆积,使得确定优先级变得困难,并分散了他们本就有限的时间和精力,使其无法专注于关键缺陷。
Maintainers “do their work out of love of open source, and now they’re stuck reviewing slop CVEs,” says OpenAI’s cyber tech lead, Fouad Matin. With Patch the Planet, he says, “what we’ve effectively done is make it as efficient from a token perspective as possible to reduce the burden for maintainers—code base assessments, validating potential reports, creating patches, and landing them. We want to offset costs, whether it’s tokens or people power, to actually patch as much of the world of software as possible.”
“维护者们出于对开源的热爱而工作,现在却被困在审查垃圾 CVE(通用漏洞披露)中,”OpenAI 网络技术主管 Fouad Matin 说。他表示,通过“Patch the Planet”,“我们实际上做的是从 Token(代币)的角度尽可能提高效率,以减轻维护者的负担——包括代码库评估、验证潜在报告、创建补丁并将其落地。我们希望抵消成本,无论是 Token 还是人力,从而尽可能多地修复全球软件中的漏洞。”
Matin adds that for its Codex Security scanner, which has been in research preview since earlier this year, OpenAI has been subsidizing usage for both open-source and private code “to the tune of 20 trillion tokens.”
Matin 补充说,对于自今年年初以来一直处于研究预览阶段的 Codex Security 扫描器,OpenAI 一直在为开源和私有代码的使用提供补贴,补贴额度高达“20 万亿 Token”。
More than 30 open-source projects are already participating in Patch the Planet, with more in the pipeline to start. To launch the project, Trail of Bits recently conducted a five-day opening sprint in which it had 25 engineers, or roughly a fifth of its workforce, simultaneously working on collaborations with an array of maintainers. OpenAI and Trail of Bits say the project has already uncovered hundreds of bugs and produced dozens of patches in just its first week. And Guido says that with funding from OpenAI as well as unmetered model access, Trail of Bits plans to continue its intense commitment to Patch the Planet work long-term.
目前已有 30 多个开源项目参与了“Patch the Planet”,还有更多项目正在筹备中。为了启动该项目,Trail of Bits 最近进行了为期五天的开幕冲刺,其 25 名工程师(约占其员工总数的五分之一)同时与多位维护者展开合作。OpenAI 和 Trail of Bits 表示,该项目仅在第一周就发现了数百个漏洞并制作了数十个补丁。Guido 表示,在 OpenAI 的资金支持和无限制的模型访问下,Trail of Bits 计划长期致力于“Patch the Planet”的工作。
“It’s so rare that we get the opportunity to work on large-scale open-source security issues,” Guido says. “And Patch the Planet is not a one-size-fits-all. We speak to all the maintainers for every single project and figure out what their highest priorities are, whether it’s building better testing infrastructure or custom fuzzers or just cleaning up technical data across the project because that’s what’s going to make them work faster and operate faster and patch faster.”
“我们很少有机会处理大规模的开源安全问题,”Guido 说,“‘Patch the Planet’并非一刀切。我们会与每个项目的维护者沟通,找出他们的最高优先级需求,无论是构建更好的测试基础设施、定制模糊测试工具,还是仅仅清理项目中的技术数据,因为这些才是让他们工作更快、运行更快、修复更快的关键。”
Monday’s announcements by OpenAI come as its competitor Anthropic had to pull its new Fable 5 and Mythos 5 models off the market earlier this month amid fear from the Trump administration about AI cybersecurity capabilities. The White House decision to hit Anthropic with export controls on the models came after the company publicly released the Mythos-grade Fable 5 with blocks on its advanced biological and cybersecurity capabilities—protections the administration feared were not adequate.
OpenAI 周一的公告发布之际,其竞争对手 Anthropic 本月初因特朗普政府对人工智能网络安全能力的担忧,不得不将其新的 Fable 5 和 Mythos 5 模型撤出市场。白宫决定对 Anthropic 的这些模型实施出口管制,此前该公司公开发布了 Mythos 级别的 Fable 5,并对其先进的生物和网络安全能力进行了限制——政府担心这些保护措施不够充分。
OpenAI’s announcements on Monday, including the new checkpoint of GPT-5.5-Cyber, are all part of the company’s limited Trusted Access for Cyber program and do not involve a public release. But with both Anthropic and OpenAI preparing for IPOs, competition clearly continues regardless of which products are currently on the market. In its GPT-5.5-Cyber announcement, for example, OpenAI points out that the model scores 85.6 percent on the benchmark assessment known as CyberGym, an improvement from a previous version of GPT-5.5-Cyber. The performance also beats Anthropic’s Mythos 5, which scored 83.8 percent.
OpenAI 周一的公告(包括 GPT-5.5-Cyber 的新检查点)均属于该公司有限的“网络可信访问”计划的一部分,不涉及公开发布。但随着 Anthropic 和 OpenAI 都在筹备 IPO,无论目前市场上有什么产品,竞争显然仍在继续。例如,在 GPT-5.5-Cyber 的公告中,OpenAI 指出该模型在名为 CyberGym 的基准测试中得分为 85.6%,较之前版本的 GPT-5.5-Cyber 有所提升。这一表现也超过了得分 83.8% 的 Anthropic Mythos 5。
Amid this AI cybersecurity race, the Five Eyes intelligence alliance warned in an unusual joint statement on Monday that “frontier AI models are anticipated to exceed current industry expectations, fundamentally transforming both offensive and defensive cyber capabilities. The timeline is not years, it is months … In this environment, cyber resilience is integral.”
在这场人工智能网络安全竞赛中,“五眼联盟”情报机构周一在一份不同寻常的联合声明中警告称:“前沿人工智能模型预计将超出当前行业预期,从根本上改变进攻和防御的网络能力。时间线不是几年,而是几个月……在这种环境下,网络韧性至关重要。”
For its part, Patch the Planet leaves participants with six months of free ChatGPT Pro and six months of Codex Security as well as infrastructure and workflow improvements that can be taken forward with an array of tools and human engineers.
就“Patch the Planet”而言,它为参与者提供了六个月的免费 ChatGPT Pro 和六个月的 Codex Security 使用权,以及可以通过一系列工具和人工工程师继续推进的基础设施和工作流程改进。
“With Patch the Planet so far, only about half the time was spent finding bugs,” Trail of Bits’ Guido says. “We’re trying to find the most superficial, easily discoverable, most severe bugs and wipe them off the table, but the other half of the time we spent customizing agents to work on the code base so we can leave them behind and teach the maintainers how to use them.”
“到目前为止,在‘Patch the Planet’项目中,只有大约一半的时间花在寻找漏洞上,”Trail of Bits 的 Guido 说,“我们试图找出最表面、最容易发现且最严重的漏洞并将其清除,但另一半时间我们花在定制代理程序以处理代码库上,这样我们就可以将它们留给维护者,并教他们如何使用。”