On June 23, three events coincided. OpenAI's new model identified 32 exploitable vulnerabilities in the Linux kernel within five days; SpaceX disclosed that the total value of signed AI computing power contracts has exceeded $80 billion; IBM announced a $5 billion investment to build an open-source security information sharing platform.
Each item alone is big news. Taken together, they point to the same shift: the pricing logic of enterprise AI infrastructure is being rewritten. Security has transformed from a cost center into a product, computing power from a scarce resource into a negotiable commodity, and open-source security from a community obligation into national infrastructure. CIOs need to recalculate their budgets.
OpenAI turns safety into a product
GPT-5.5-Cyber scored 85.6% on the CyberGym benchmark, while the standard GPT-5.5 scored 81.8%. A difference of 4 percentage points doesn't sound like much. But the real value of this model isn't in the benchmark scores; it's that OpenAI has turned it into a complete product ecosystem.
The Codex Security plugin is directly embedded into the developer's IDE. It scans for vulnerabilities while writing code, eliminating the need to wait for a post-development security audit. Security checks have shifted from "the final checkpoint before deployment" to "a real-time action during the coding process." This change is structural: security is no longer solely the responsibility of the security team but becomes part of every developer's daily workflow.
The Patch the Planet initiative aims to go further. OpenAI has partnered with Trail of Bits and HackerOne to subject over 30 core open-source projects (cURL, Go, Python, Sigstore) to AI-driven security audits. The result is what was mentioned at the beginning: 32 Linux kernel vulnerabilities in five days. Engineers at Trail of Bits also used GPT-5.5-Cyber to set up a complete fuzzing lab in one day, a task that would normally take weeks to do manually.
85.6% GPT-5.5-Cyber CyberGym Score 32 Linux Kernel Vulnerabilities (within 5 days) 30+ Participating Open Source Projects
What game is OpenAI playing? Fixing vulnerabilities in real-world infrastructure, building government trust, and making itself "too important to shut down." This is a direct response to Anthropic's Project Glasswing. Both top AI companies recognize cybersecurity as AI's most valuable and politically legitimate application scenario.
For enterprise CIOs, this signal is far more important than model benchmark scores. How many open-source components are in your software supply chain? Have these components been automatically scanned by AI? OpenAI and Trail of Bits can find 32 vulnerabilities in the Linux kernel within five days—what is the status of those dependency libraries on your company's intranet that haven't been audited in years?
SpaceX built an 80 billion computing power giant in two months
SpaceX's Colossus data center went from zero to being on par with AWS, Azure, and GCP in just two months. This speed itself shows that the barriers to computing infrastructure are being rapidly leveled.
The three signed contracts are presented as follows:
| Contracting Parties | Monthly Fee | Total Contract Amount | Notes |
|---|---|---|---|
| Reflection AI | $150 million/month | $6.3 billion | 2026.7-2029, GB300 chip |
| Anthropic | $1.25 billion/month | Approximately $52.5 billion | Colossus 2, Memphis |
| $920 million/month | Approximately $38.6 billion | Colossus 2, Memphis |
The three contracts combined promise revenue exceeding $80 billion. The figure is staggering. But analysts uncovered a detail: all contracts include a 90-day exit clause. In essence, only about $1.5 billion of the $80 billion "commitment" is actually locked in. SPCX's stock price fell 10% that day, marking its largest single-day decline since listing. The market has doubts about the true value of this "commitment."
The problem is this: Of the 80 billion commitment, only about 1.5 billion is locked in. If you plan infrastructure based on 80 billion, you can only actually rely on 1.5 billion. This gap is enough to turn an AI project from "proceeding as planned" to "suddenly cut off from funding."
For enterprise CIOs, the significance of SpaceX's entry lies not in whether it can fulfill all its contracts, but in how it has changed the supply landscape of the computing power market. With one more heavyweight player, there is downward pressure on prices. The GPU computing power that was hard to come by last year is now starting to see room for price negotiation.
But the 90-day exit clause also exposes a neglected risk: the computing power contract you signed can be terminated by the supplier at any time. Tying core AI business to a "promise" rather than a "lock-in" leaves gaps in business continuity. CIOs need to re-examine the structure of computing power contracts. Lock-in ratios, exit clauses, and SLA compensation—these were previously matters for legal departments, but now they directly impact business stability.
Security is becoming a public good
IBM and Red Hat's Project Lightwell invested $5 billion and brought in over 20,000 engineers to build an AI-driven open-source security information sharing center. This is not charity. The biggest cost in enterprise security is not tools, but intelligence. If the entire industry shares threat intelligence, the defense costs for each enterprise will decrease.
This matter is synchronized with the actions of the regulatory authorities. The public consultation period for the EU AI Act's guidelines on high-risk AI systems ends on June 23, and a formal definition of which AI systems qualify as "high-risk" will soon be established. On June 2, the United States issued an AI safety executive order, requiring CISA and the NSA to strengthen civilian network defenses within 30 to 60 days, and also established an AI vulnerability information sharing center.
OpenAI fixes vulnerabilities, IBM builds an intelligence-sharing platform, the EU defines high-risk systems, and the US requires network hardening within 60 days—four events occurring simultaneously within two weeks is no coincidence. Security is shifting from "every enterprise managing its own affairs" to "industry-level public infrastructure."
For enterprise CIOs, the logic of security budgets must change. Previously, it was about buying tools and services; in the future, it may become about buying intelligence, access, and compliance. The money you spend is no longer just for purchasing a scanner or a firewall, but for gaining access to a threat intelligence network shared across the entire industry.
How CIOs Should Renegotiate Infrastructure Contracts
Three direct practical judgments:
Security budgets shift from "post-audit" to "development-embedded". Codex Security's model demonstrates that the best place for security is not a pre-launch checkpoint, but real-time prompts within the IDE. If your security team is still following a workflow of "write code, submit for security audit, then revise after rejection," it's time to consider shifting security earlier. Specific approach: evaluate AI-driven code security scanning tools and embed real-time vulnerability detection into the CI/CD pipeline. Trail of Bits' case of building a fuzzing lab in one day shows that deploying AI security tools is much faster than you think.
Computing power contracts should be evaluated based on "locked-in ratio" rather than "total commitment." The SpaceX case is a clear example: an 80 billion commitment may only have 1.5 billion locked in. When signing a computing power contract, be sure to clarify three things: What is the minimum commitment? What are the trigger conditions for the exit clause? Who bears the cost of data migration after exit? Include these three questions in the supplier evaluation form. Don't be fooled by the term "committed revenue"—what you need to look at is "locked-in revenue."
Open-source component management has been upgraded from an "annual inventory" to "continuous monitoring." Patch the Planet proves that AI can audit dozens of core open-source projects within days. Your enterprise may rely on hundreds of open-source libraries. Using AI-driven SCA (Software Composition Analysis) tools for continuous monitoring is far more effective than conducting manual audits once a year. The EU is about to officially define "high-risk AI systems." If there are unknown vulnerabilities in your open-source supply chain, and regulators come to you without audit records, fines will not be waived just because you say, "We didn't know."
The logic of these three things is consistent: AI infrastructure is shifting from "whether to buy" to "how to buy." How to embed security into the development process, how to lock down risks in computing power, and how to continuously monitor open-source—these decisions are now much more granular than before. CIOs need to descend from the strategic level to the level of contract terms. Anyone still using last year's mindset to sign this year's infrastructure contracts is joking with the company's business continuity.
