Patch the Planet: HackerOne Joins OpenAI's Daybreak Initiative to Secure Critical Open-Source Software

Open-source software runs the modern internet, and the people who maintain it are too often a handful of volunteers facing a flood of unverified vulnerability reports with no time and no budget to triage them. That problem has only grown as automated tooling makes it cheaper to file a report than to confirm one. Securing open source means fixing that imbalance: giving maintainers a better signal-to-noise ratio, validated reports, and, where appropriate, tested patches that can move through review and remediation.

Today we're announcing our role as a launch partner in Patch the Planet, a new initiative from OpenAI's Daybreak program alongside Trail of Bits and Calif. Working with maintainers and trusted security partners, the program identifies a focused set of critical open-source projects, then pairs Codex-assisted research with expert human validation and coordinated disclosure, so maintainers receive validated findings, tested patches, and support all the way through remediation.

HackerOne provides the shared intake, triage, and tracking layer. The H1 Platform gives partner researchers and maintainers a single place to manage reports, track remediation, and coordinate disclosure.

The design principle is maintainer-first. Researchers investigate potential vulnerabilities, validate the ones that matter, develop or refine the fix, support testing, and disclose through each project's established channels. Maintainers stay in control of their own projects. We don't count success in report volume. We count it in risk removed from the software the world runs on.

The Internet Bug Bounty, which we've run with the open-source community since 2013, was built around a dual purpose: rewarding both the discovery of vulnerabilities and the remediation work that turns a finding into a durable fix. As AI-assisted research expanded discovery across the ecosystem, the balance between findings and the capacity to remediate them in open source changed. Patch the Planet is built for where that balance sits today, putting expert effort into validating, fixing, and shipping. The program is funded by OpenAI, so the cost of that work sits with the partners doing it, not with the maintainers receiving it.

Open source carries the modern internet. The work of keeping it secure should be funded like it matters. That's what Patch the Planet is built to do, and we'll have more to share as it grows.

See how H1 Platform supports the full vulnerability lifecycle