GPT-5.5-Cyber built a zlib fuzzing lab in a day
Trail of Bits, in collaboration with OpenAI, is running Patch the Planet, pairing engineers with over 30 open-source projects to address the anticipated flood of bug reports from advanced AI models. In a field report, they describe how GPT-5.5-Cyber built a zlib fuzzing lab in a single day—a task that would have taken weeks for a skilled security researcher. The model autonomously decided that static review was ineffective and instead built dynamic fuzzing tooling. It used ASan and UBSan builds, repurposed edge-case tests as seed guidance, and wrote C/C++ harnesses across a dozen entrypoints including inflate, inflateBack, uncompress2, gzFile, MiniZip, puff, blast, infback9, gzjoin, gzappend, and several contrib stream wrappers. It also used compile-time variant builds (INFLATE_STRICT, BUILDFIXED, PKZIP_BUG_WORKAROUND) to reach hidden code paths. The model demonstrated reporting discipline by logging a null callback crash in inflateBack as unreachable (since it required unlikely caller state) and moving on to find higher-impact issues. Trail of Bits attributes this capability to the frontier 5.5-Cyber model combined with the /goal feature, which maintained scope across multiple turns. The findings are currently undergoing coordinated disclosure, and the full harness will be published once vulnerabilities are patched.
The expertise barrier for bespoke fuzzing campaigns is gone, threatening to overwhelm open-source maintainers with bug reports.