OpenAI rolls out vuln‑detection model

Software security tools look for bugs that attackers can exploit, and the newer ones use artificial intelligence to read code more like a reviewer than a checklist. OpenAI is now giving a select group access to GPT-5.4-Cyber, a model tuned to find those flaws. (openai.com) OpenAI said on April 14 that GPT-5.4-Cyber is a variant of GPT-5.4 trained to be “cyber-permissive” for defensive work. Bloomberg reported the company is offering it first to some members of its Trusted Access for Cyber program, which OpenAI launched in February. (openai.com) (bloomberg.com) OpenAI said the model has fewer constraints when users probe software for vulnerabilities, but only inside a trust-based access system with identity checks and other safeguards. The company said it is expanding that program to “thousands” of verified defenders and “hundreds” of teams that protect critical software. (openai.com) The release adds a second OpenAI cyber product in six weeks. On March 6, OpenAI put Codex Security into research preview for ChatGPT Pro, Enterprise, Business, and Edu customers, describing it as an application security agent that can detect, validate, and patch vulnerabilities in connected repositories. (openai.com) Codex Security works by building a project-specific threat model, then checking likely weaknesses against the actual code and validating high-signal findings in an isolated environment. OpenAI said that approach cut noise by 84% in one repository over time, reduced over-reported severity by more than 90%, and lowered false positives by more than 50% across repositories in beta testing. (openai.com) (developers.openai.com) The timing puts OpenAI directly against Anthropic, which announced Project Glasswing on April 7 and tied it to Claude Mythos Preview, its own frontier model for defensive security work. Anthropic said the program launched with partners including Amazon Web Services, Apple, Cisco, CrowdStrike, Google, JPMorganChase, Microsoft, NVIDIA, and Palo Alto Networks. (anthropic.com) Anthropic said it also extended access to more than 40 additional organizations that build or maintain critical software infrastructure, and committed up to $100 million in usage credits plus $4 million in donations to open-source security groups. That made the market for restricted-access cyber models look more crowded a week before OpenAI’s latest announcement. (anthropic.com) OpenAI has been laying policy groundwork for this rollout for months. In June 2025, it published an outbound coordinated disclosure policy for reporting flaws it finds in third-party software, and in February 2026 it introduced Trusted Access for Cyber as a framework for giving stronger cyber capabilities to vetted defenders rather than the general public. (openai.com 1) (openai.com 2) The immediate next step is still limited deployment, not broad release. OpenAI said more capable cyber models are coming “over the next few months,” and its latest move keeps the first access with verified defenders instead of general users. (openai.com)