A new security-focused AI model released Thursday by OpenAI aims to automate bug hunting, patching and remediation.
The model, powered by ChatGPT-5 and given the name Aardvark, has been used internally at OpenAI and among external partners. Currently offered in an invite-only Beta, it’s designed to continuously scan source code repositories to find known vulnerabilities and bugs, assess and prioritize their potential severity, then patch and remediate them.
In a blog post published on the company’s website, OpenAI claims that Aardvark “does not rely on traditional program analysis techniques like fuzzing or software composition analysis.”
“Instead, it uses LLM-powered reasoning and tool-use to understand code behavior and identify vulnerabilities,” the blog stated. “Aardvark looks for bugs as a human security researcher might: by reading code, analyzing it, writing and running tests, using tools, and more.”
OpenAI says Aardvark can also develop threat models based on the contents of a repository and project security goals and design, sandbox vulnerabilities to test their exploitability, annotate problematic code and submit proposed patches for human review.
In addition to finding security vulnerabilities, the company said Aardvark has shown the potential to spot logic and privacy bugs in code bases, and identified 92% of known and synthetically introduced vulnerabilities in unspecified “golden” repositories. Members of the open source community who operate noncommercial repositories will be able to use the scanner for free.
The company recently updated its coordinated vulnerability disclosure process in September, rolling out changes that include no longer committing to strict disclosure timelines, which OpenAI said can “pressure developers” and emphasizing broader ecosystem security. The Beta version of the model is currently open to select research partners, and OpenAI said it plans to broaden the tool’s use over time as it refines detection, validation and reporting capabilities.
“By catching vulnerabilities early, validating real-world exploitability, and offering clear fixes, Aardvark can strengthen security without slowing innovation,” the blog stated.
Aardvark’s release reflects OpenAI’s desire to leverage their technology for automated vulnerability scanning and remediation, a field where large language models have shown increasing promise and potential over the past year. The company said Aardvark has identified 10 vulnerabilities thus far that have received Common Vulnerabilities and Exposure (CVE) entries.
Other companies, such as startup XBOW, have been able to develop AI security models over the past year that can ride to the top of bug bounty leaderboards at HackerOne and BugCrowd, run day and night and identify and fix hundreds of vulnerabilities.
XBOW founder Oege de Moor, who previously led GitHub Next, the company’s software research and development division, told CyberScoop in July that their model receives some human guidance on the front and manual validation on the backend, but otherwise runs autonomously during its bug hunting.
While vulnerability research experts have described models like XBOW as more useful for high-volume, low-impact bugs, the company has attempted to showcase the evolving model’s ability to tackle higher complexity bugs and exploits.
An automated program to address the thousands of low-severity bugs plaguing the internet, while freeing up human operators to tackle higher complexity vulnerabilities, would still have tremendous value. Some security experts point out that large cyber intrusions and multi-stage malware attacks are often less about exploiting zero days or high severity bugs and more about chaining together lower- and medium-impact flaws that exist in unpatched systems.
But another consideration around these models is the sheer energy they consume. De Moor said that while XBOW had solved thousands of bugs and received bug bounties and awards for its work, those earnings aren’t enough to cover the total compute costs to run XBOW over that time.
The post OpenAI releases ‘Aardvark’ security and patching model appeared first on CyberScoop.