OpenAI has announced the release of Aardvark, a GPT-5-powered "proxy security researcher" tool, now in private beta. Aardvark continuously analyzes codebases, builds threat models, locates vulnerabilities based on changes submitted, and assesses exploitability. After reproducing the vulnerabilities in a sandbox, it calls Codex to generate fixes, which are then submitted for human review and merging along with step-by-step explanations and code annotations. The system is geared towards development and security teams, emphasizing providing actionable remediation suggestions without disrupting development processes.
According to official disclosures, Aardvark has been running continuously in internal and external early partner environments and has identified 92% of known and synthetic vulnerabilities in the "Golden Repository" benchmark. It has also responsibly disclosed multiple issues in open-source projects, ten of which have been assigned CVE numbers. OpenAI also stated that it will provide free scanning services for some non-commercial open-source repositories and update its external coordination and disclosure policies; the scope of access will be gradually expanded during the private testing phase.
Frequently Asked Questions
Q: How can Aardvark be integrated currently?
A: It is currently in private testing phase and is open to invited partners and some open-source projects. The official website provides an application portal.
Q: How is it different from traditional tools (such as fuzz/SCA)?
A: Centered on LLM inference and tool usage, it follows a multi-stage process of "analysis - submission scan - sandbox verification - patching", which is closer to the methodology of human security researchers.
Q: Does it support automatic repair?
A: It will come with a patch generated by Codex and reviewed by Aardvark, but it still needs to be manually reviewed and merged with one click to avoid unsupervised changes.
Q: Is there data on the actual results?
A: The official statement claims a 92% recognition rate in the benchmark repository and has facilitated 10 CVE-level disclosures; external reproduction and cross-sectional evaluation are still underway.
Q: What are the plans for the open source community?
A: The plan is to provide free scanning for some non-commercial open source repositories and promote sustainable collaboration with an updated disclosure policy.
