Today’s Topics:

• OpenAI’s Codex Security Finds Over 10,000 High-Severity Vulnerabilities in 1.2 Million Code Commits
• Apple’s iPhone and iPad Approved for Handling NATO Restricted Classified Information
• How can Netizen help?

---

OpenAI’s Codex Security Finds Over 10,000 High-Severity Vulnerabilities in 1.2 Million Code Commits

OpenAI has begun rolling out a new artificial intelligence–driven security capability called Codex Security, a tool built to identify, validate, and propose fixes for software vulnerabilities across large codebases. The system, now available in a research preview for ChatGPT Pro, Enterprise, Business, and Edu customers, represents a new step in the use of AI agents for application security testing. During the last month of beta testing alone, the system analyzed more than 1.2 million commits across public repositories and uncovered thousands of serious security flaws.

According to OpenAI, the scans identified 792 critical vulnerabilities and 10,561 high-severity issues across a range of widely used open-source projects. Among the affected platforms were major software components such as OpenSSH, GnuTLS, libssh, PHP, Chromium, Thorium, and GOGS. Several vulnerabilities identified during the scans have already received CVE identifiers, including CVE-2026-24881 and CVE-2026-24882 in GnuPG, CVE-2025-32988 and CVE-2025-32989 in GnuTLS, and multiple vulnerabilities in the Thorium browser project including CVE-2025-35430 through CVE-2025-35436. The scale of the findings highlights how large repositories and long development histories can allow security flaws to remain undiscovered for extended periods.

Codex Security evolved from an earlier OpenAI research effort known as Aardvark, which entered private beta in late 2025 as an experiment in automated vulnerability discovery. That project focused on identifying weaknesses across large software ecosystems using advanced reasoning models. Codex Security expands on that approach by integrating system context analysis, automated validation, and patch generation into a single security workflow.

The system begins by examining the structure of a repository to determine how different components interact and where security exposure is likely to exist. This initial analysis produces an editable threat model describing the architecture of the application and identifying areas where vulnerabilities may have the greatest impact. Rather than treating code files in isolation, the system attempts to interpret how the software behaves as a full application.

After building this contextual understanding, the agent analyzes the codebase for weaknesses and ranks findings according to potential real-world impact. The system then validates suspected vulnerabilities inside a sandbox environment to determine whether the issue can actually be reproduced. This step aims to reduce the volume of false alerts that typically appear in automated static analysis tools.

OpenAI reports that accuracy improved significantly across repeated scans of the same repositories, with false positive rates declining by more than fifty percent. The company attributes the improvement to the combination of model reasoning and automated validation, which allows the agent to test its own findings rather than presenting raw detections to developers.

When the system confirms a vulnerability, Codex Security generates remediation suggestions that attempt to align with the behavior of the existing application. In some cases the system can produce working proof-of-concept demonstrations showing how the vulnerability could be exploited. These demonstrations are intended to help security teams validate risk and accelerate remediation.

The agent can also run against environments configured to match the software being tested. When deployed this way, Codex Security can evaluate suspected vulnerabilities against the running application itself rather than relying only on static code analysis. OpenAI says this capability helps confirm whether a vulnerability is actually reachable and exploitable within the deployed system.

The release of Codex Security comes during a period of rapid development in AI-driven application security tools. Just weeks earlier, Anthropic introduced its own system called Claude Code Security, designed to analyze code repositories and recommend patches. Both tools reflect a broader effort across the industry to apply large language models to vulnerability discovery and secure software development.

---

Apple’s iPhone and iPad Approved for Handling NATO Restricted Classified Information

Apple has announced that the iPhone and iPad have received approval for use in environments that handle classified information up to the NATO Restricted level, marking the first time consumer mobile devices have achieved compliance with the information assurance requirements used by NATO nations. The certification follows extensive security testing and evaluation conducted by the German government, confirming that Apple’s mobile platforms meet the operational and security standards required for handling restricted NATO data.

The approval allows iPhone and iPad devices running iOS 26 and iPadOS 26 to process classified information within NATO environments without the need for additional security software or specialized configurations. According to Apple, no other consumer mobile devices currently meet this certification standard, which has historically been reserved for custom-built government systems or specialized hardened hardware.

The evaluation process was conducted by Germany’s Federal Office for Information Security, known as the Bundesamt für Sicherheit in der Informationstechnik (BSI). As part of the assessment, BSI performed technical testing, security validation, and in-depth analysis of Apple’s mobile platform architecture. The review examined how the operating system, hardware protections, and platform security controls interact to protect sensitive data under strict government security requirements.

Apple’s security architecture integrates protections across the hardware and software stack, including encryption systems, biometric authentication, and device integrity protections embedded in Apple silicon. Features such as Face ID authentication and memory integrity protections were included in the evaluation, demonstrating that the devices provide strong safeguards against unauthorized access and system compromise.

Prior to this broader NATO approval, iPhone and iPad had already been authorized for use with classified German government data under BSI oversight. That earlier authorization confirmed that Apple’s native iOS and iPadOS security capabilities could meet the standards required for handling sensitive government information. The latest certification expands this recognition across NATO member states, enabling the devices to be deployed in allied government environments handling restricted data.

Following the evaluation, iOS 26 and iPadOS 26 have been listed in the NATO Information Assurance Product Catalogue, which tracks technologies approved for use in NATO information systems. Inclusion in the catalogue indicates that the platform meets defined security assurance criteria and can be used in operational environments that manage classified information at the restricted level.

Officials involved in the evaluation emphasized the importance of incorporating security protections directly into product development. Claudia Plattner, president of BSI, stated that secure digital transformation depends on integrating information security from the earliest stages of mobile device design. The agency’s audit of Apple’s platform security architecture formed the basis for confirming compliance with NATO assurance requirements.

According to Ivan Krstić, Apple’s vice president of Security Engineering and Architecture, the company’s strategy has focused on embedding strong security protections directly into widely distributed consumer devices rather than relying on specialized hardware built only for government or enterprise environments.

For NATO organizations and government agencies, the approval opens the possibility of using mainstream mobile hardware within classified operational contexts while relying on native platform protections. Historically, devices used in such environments required extensive customization and dedicated security infrastructure before they could be deployed.

---

How Can Netizen Help?

Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

---