OpenAI has introduced Aardvark, a GPT-5-powered AI agent designed to hunt and fix software vulnerabilities, with free scanning support for open source projects to bolster global code security.
OpenAI Group PBC has launched Aardvark, an autonomous GPT-5-powered AI agent designed to identify, verify, and help resolve software vulnerabilities in real-time. Described as an “AI security researcher,” Aardvark can scan repositories, reason about potential exploits, and generate validated patches to support both open-source and enterprise environments.
Directly integrated with GitHub, Aardvark analyses entire repositories to build contextual threat models and continuously scans new code commits for weaknesses. When a vulnerability is detected, it reproduces the exploit in a sandbox for validation and proposes a fix using OpenAI’s Codex engine.
Suggested patches are submitted for human review, ensuring that no unverified changes occur autonomously. In testing, Aardvark detected about 92% of known and synthetic vulnerabilities in benchmark repositories. During limited trials, it also uncovered real flaws in open-source projects, some of which received official Common Vulnerabilities and Exposure (CVE) numbers.
Positioned as part of OpenAI’s new commitment to “giving back,” Aardvark will offer pro bono scanning for selected noncommercial open source repositories. The goal is to enhance the resilience of community-driven software and strengthen the open source supply chain.
OpenAI describes Aardvark as a “breakthrough in AI and security research”, its first major step into cybersecurity tooling. The move also marks a strategic shift toward collaboration, signalling OpenAI’s intent to contribute directly to securing the open-source ecosystem.
Currently in private beta, Aardvark is being refined through field validation, with no public release date announced.
