OpenAI: A Reward Program to Secure AI
Le brief IA que les pros lisent chaque soir
Les 7 actus IA du jour, décryptées en 5 min. Gratuit.
Inclus dès l'inscription : notre sélection des meilleurs guides & comparatifs IA.
Choisis ton rythme
Gratuit · Pas de spam · Désabonnement en 1 clic
OpenAI Launches an AI Security Bug Bounty Program
OpenAI recently announced the launch of a public bug bounty program focused on security, aimed at identifying and addressing potential abuses related to artificial intelligence. As AI continues to evolve at a rapid pace, the risks of malicious use are also increasing. The primary goal of this program is to ensure that OpenAI's systems remain secure and protected against abuses that could cause real harm.
This program complements the existing security bug bounty initiative at OpenAI. It accepts reports of issues that, while not meeting traditional vulnerability criteria, still present significant risks of abuse and security. OpenAI hopes to collaborate with security and safety researchers to identify and resolve problems that fall outside the realm of classic security vulnerabilities but still pose real threats. Submissions will be reviewed by OpenAI's security bug bounty and safety teams and may be redirected between the two programs based on their nature and significance.
Program Focus
OpenAI's security bug bounty program focuses on specific AI-related scenarios, as outlined below:
-
Agentic Risks, including MCP (Model of Predictive Conduct)
- Third-party prompt injection and data exfiltration: this occurs when an attacker's text reliably manages to divert a victim's agent, such as products like the browser or ChatGPT agent, to perform a harmful action or disclose sensitive user information. This behavior must be reproducible in at least 50% of cases.
- An agentic product from OpenAI performs an unauthorized action on the OpenAI website at scale.
- An agentic product from OpenAI carries out a potentially harmful action not mentioned above. Valid reports must demonstrate plausible and material harm.
- Any testing for MCP risk must comply with the terms of use of any third party.
-
OpenAI Proprietary Information
- Model generations that reveal proprietary information related to reasoning.
- Vulnerabilities that expose other proprietary information from OpenAI.
-
Account and Platform Integrity
- Vulnerabilities in account and platform integrity signals, such as bypassing anti-automation controls, manipulating account trust signals, evading account restrictions/suspensions/bans, and similar issues.
- Issues allowing users to access features, data, or functionalities beyond authorized permissions should be reported to the security bug bounty program.
While jailbreaks are excluded from this program, OpenAI periodically organizes private bug bounty campaigns focused on certain types of harm, such as content issues related to biological risks in the ChatGPT agent and GPT-5. Interested researchers are encouraged to apply to these programs when they are available.
Outside of the mentioned categories, if researchers identify defects that facilitate direct pathways to harm for users and discreet, actionable remediation steps, these may be considered eligible for rewards on a case-by-case basis. General content policy workarounds without demonstrable impact on security or abuse are outside the scope of this program. For example, "jailbreaks" that lead to the model using profanity or returning information easily found via search engines are excluded.
Participation in the Program
Researchers wishing to participate can apply through OpenAI's security bug bounty program. OpenAI looks forward to collaborating with researchers, ethical hackers, and the security and safety community to create a secure AI ecosystem.
Brief IA — L'actualité IA en français
L'essentiel de l'actualité de l'intelligence artificielle, décrypté et expliqué chaque jour.