OpenAI has launched a new bug bounty program to engage researchers in addressing AI abuse and safety risks across its products.
The new Safety Bug Bounty program was announced on March 26 and is hosted on Bugcrowd.
It complements the firm’s Security Bug Bounty, also hosted on Bugcrowd, that has rewarded 409 security vulnerabilities in OpenAI’s product offerings since its launch in April 2023.
With the Safety Bug Bounty, OpenAI wants to encourage disclosures of issues in its products that pose “meaningful abuse and safety risks, even if they don’t meet the criteria for a security vulnerability.”
The scenarios covered by this new program encompass:
- Agentic risks, including model context protocol (MCP) abuse, third-party prompt injection, data exfiltration, disallowed actions at scale on OpenAI’s website or other potentially harmful unlisted behaviors
- Violations of account and platform integrity (e.g. bypassing anti-automation controls, manipulating account trust signals, evading account restrictions/suspensions/bans)
- OpenAI proprietary information abuse (e.g. model generations that return proprietary information related to reasoning; vulnerabilities that expose other OpenAI proprietary information)
Key Differences: OpenAI’s Security vs. Safety Bug Bounty Programs
OpenAI outlined that integrity violations involving a user having access to features, data or functionalities beyond authorized permissions should be reported to the Security Bug Bounty rather than the new Safety Bug Bounty.
The company further clarified that general content-policy bypasses without clear safety or abuse impact are not eligible for rewards.
For example, it specified that “jailbreaks” that only result in rude language or easily searchable information are out of scope.
However, researchers who identify flaws enabling direct user harm with actionable fixes may still qualify for rewards on a case-by-case basis.
OpenAI also stated that it periodically runs private bug bounty campaigns targeting specific harm types, including biorisk content issues in ChatGPT Agent and GPT-5.
Researchers can already submit issues to the Safety Bug Bounty program via Bugcrowd. An OpenAI team responsible for both Safety and Security Bug Bounty programs will triage submissions, which may be rerouted between the two programs depending on scope and ownership.
Image credits: Samuel Boivin / Stock all / Shutterstock.com
Read now: Why AI’s Rise Makes Protecting Personal Data More Critical Than Ever
