{"id":15923,"date":"2026-03-09T11:56:25","date_gmt":"2026-03-09T11:56:25","guid":{"rendered":"https:\/\/newestek.com\/?p=15923"},"modified":"2026-03-09T11:56:25","modified_gmt":"2026-03-09T11:56:25","slug":"openai-says-codex-security-found-11000-high-impact-bugs-in-a-month","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15923","title":{"rendered":"OpenAI says Codex Security found 11,000 high-impact bugs in a month"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>OpenAI\u2019s new AppSec agent, Codex Security, has already flagged over 11,000 high-severity and critical flaws in real-world codebases during its first 30 days of research testing. The tool, designed to automatically find, validate, and fix vulnerabilities in software repositories, reportedly identified about 800 critical issues in more than a million scanned commits.<\/p>\n<p>According to an OpenAI blog post, the tool is meant to function more like a security researcher who studies a codebase, maps potential attack paths, and proposes fixes, rather than a static scanner. \u201cIt\u2019s designed to operate at scale and surface the highest-confidence findings with easy-to-accept patches,\u201d the company wrote.<\/p>\n<p>According to OpenAI, the tool builds contextual understanding of an entire project, which enables it to focus on vulnerabilities that are realistically exploitable, addressing the long-standing alert fatigue for AppSec teams.<\/p>\n<h2 class=\"wp-block-heading\" id=\"flaws-uncovered-in-proprietary-and-open-source-projects\">Flaws uncovered in proprietary and open-source projects<\/h2>\n<p>In its first testing cycle, OpenAI said Codex Security scanned more than 1.2 million commits across external repositories, identifying 792 critical vulnerabilities and 10,561 high severity issues. The company said the findings came from a wide range of real-world codebases while maintaining relatively low noise, as critical issues appeared in under 0.1% of scanned commits.<\/p>\n<p>\u201cNetgear was pleased to join the early access program, and the results exceeded expectations,\u201d Chandan Nandakumaraiah, head of product security at Netgear, said in a comment shared within the post. \u201cCodex Security integrated effortlessly into our robust security development environment, strengthening the pace and depth of our review processes.\u201d<\/p>\n<p>Beyond proprietary repositories, vulnerabilities were flagged in several widely used open-source projects too, including OpenSSH, GnuTLS, GOGS, Thorium, libssh, PHP, and Chromium, with 14 CVEs assigned so far.<\/p>\n<p>OpenAI says these efforts are part of a broader \u201cCodex for OSS\u201d initiative, which provides maintainers with free access to Codex tools and security review support. The company plans to expand the program in the coming weeks to bring more open-source maintainers into the ecosystem.<\/p>\n<p>The company highlighted thirteen high-impact OSS vulnerabilities discovered by Codex Security, spanning path traversal, denial of service (<a href=\"https:\/\/www.csoonline.com\/article\/4110714\/5-myths-about-ddos-attacks-and-protection.html\">DoS<\/a>), and authentication bypass issues.<\/p>\n<h2 class=\"wp-block-heading\" id=\"from-the-aardvark-experiment-to-an-ai-security-researcher\">From the \u2018Aardvark\u2019 experiment to an AI security researcher<\/h2>\n<p>Codex Security evolved from an earlier internal project called <a href=\"https:\/\/www.csoonline.com\/article\/4082497\/openai-launches-aardvark-to-detect-and-patch-hidden-bugs-in-code.html\">Aardvark<\/a>, an AI-powered vulnerability research agent that OpenAI began testing with select users. The concept behind Aardvark was to have the AI agent read code, test possible exploit paths, and reason through how an attacker might compromise a system.<\/p>\n<p>This agentic workflow allows the Codex Security system to mimic how human security researchers operate. The AI analyzes repository history, builds a threat model that identifies entry points and trust boundaries, and then explores attack paths that could lead to sensitive outcomes.<\/p>\n<p>Once a potential vulnerability is discovered, the system attempts to reproduce the issue in a sandbox environment to confirm that it is exploitable before reporting it. After validation, it generates remediation guidance, often in the form of proposed patches that developers can review and merge into their workflow.<\/p>\n<p>Codex Security can also learn from feedback over time to improve the quality of its findings. \u201cWhen you adjust the criticality of a finding, it can use that feedback to refine the threat model and improve precision on subsequent runs as it learns what matters in your architecture and risk posture,\u201d the company added in the post. Starting March 9, Codex Security is available in research preview to ChatGPT Pro, Enterprise, Business, and Edu customers via the Codex web with free usage for the next 30 days.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>OpenAI\u2019s new AppSec agent, Codex Security, has already flagged over 11,000 high-severity and critical flaws in real-world codebases during its first 30 days of research testing. The tool, designed to automatically find, validate, and fix vulnerabilities in software repositories, reportedly identified about 800 critical issues in more than a million scanned commits. According to an OpenAI blog post, the tool is meant to function more&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=15923\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15923","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15923","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15923"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15923\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15923"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15923"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15923"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}