OpenAI Launches Codex Security to Find and Patch Software Vulnerabilities

OpenAI is releasing Codex Security, an AI agent designed to find and fix security vulnerabilities in software code. The tool is now in research preview for ChatGPT Pro, Enterprise, Business, and Edu customers, with free usage for the next month.

The product was formerly known as Aardvark and began as a private beta last year. During internal testing, OpenAI says Codex Security found a real SSRF vulnerability, a critical cross-tenant authentication flaw, and other issues that were patched within hours.

The core problem Codex Security aims to solve: existing AI security tools generate too many false positives, overwhelming security teams. "Most AI security tools simply flag low-impact findings and false positives," OpenAI noted, "forcing security teams to spend significant time on triage."

The company says the tool has improved significantly during beta. Scans on the same repositories over time showed an 84% reduction in noise in one case. They've reduced findings with over-reported severity by more than 90%, and false positive rates dropped by more than 50%.

Over the last 30 days, Codex Security scanned more than 1.2 million commits across external repositories in the beta program, identifying 792 critical findings and 10,561 high-severity findings. Critical issues appeared in under 0.1% of scanned commits.

OpenAI has also been using the tool to scan open-source repositories they depend on, reporting vulnerabilities to projects including OpenSSH, GnuTLS, GOGS, and Chromium. Fourteen CVEs have been assigned so far.