OpenAI Launches Aardvark to Detect and Patch Hidden Bugs in Code (openai.com)

OpenAI announced Aardvark, an agentic security researcher powered by GPT-5 that continuously analyzes source code repositories to find, validate, prioritize, and patch vulnerabilities. Running in private beta, Aardvark watches commits and repository history, builds a project-specific threat model, inspects changes against that model, and attempts to trigger confirmed issues in an isolated sandbox to reduce false positives. It combines LLM-driven code reasoning and tool use (reading code, writing/running tests, using external tools) rather than traditional fuzzing or composition analysis, and attaches Codex-generated patches for one-click, human-reviewed remediation. In benchmarks on “golden” repos it found 92% of known and synthetic vulnerabilities and has already uncovered multiple real-world bugs and CVE-assigned issues in open-source projects. For the AI/ML and security communities this signals a scalable, defender-first shift: autonomous agents can offload routine discovery, validation, and patch suggestions while integrating with GitHub and existing workflows. Technical implications include higher recall of complex, context-dependent bugs, continuous post-commit protection, and potential pressure on disclosure processes as automated tools surface more issues. Aardvark’s private beta, pro-bono scanning for selected open-source projects, and updated, collaboration-focused disclosure policy indicate OpenAI’s intent to refine detection accuracy and operationalize LLM-driven security in production, while keeping humans in the review loop.