OpenAI Boosts Bug Bounty Rewards to $100,000, Strengthening AI Security Measures

OpenAI has significantly increased its maximum bug bounty reward from $20,000 to $100,000 for critical and distinctive security vulnerabilities. This major boost reflects the company’s commitment to collaborating with global security researchers to make their artificial intelligence services and infrastructure safer and more secure.

Protecting 400 Million Weekly Users

According to OpenAI, approximately 400 million users access their platform weekly through various businesses, organizations, and governments worldwide. The company emphasized that this reward enhancement is “part of our effort to strengthen compensation for high-impact security research that protects users and maintains trust in our systems,” while encouraging active participation from the security community.

Temporary Promotions for Specific Vulnerabilities

In addition to the increased reward ceiling, OpenAI has introduced limited-time promotions offering additional bonuses for reports of specific vulnerability categories. For example, until April 30, researchers who report IDOR (Insecure Direct Object Reference) vulnerabilities can receive rewards of up to $13,000.

Bug Bounty Program Structure and History

OpenAI has been operating its bug bounty program since April 2023 through the Bugcrowd platform, which provides a structured process for security researchers to report vulnerabilities and receive compensation.

Exclusions from the Reward Program

Not all vulnerabilities qualify for rewards. OpenAI has clarified that issues related to model safety, such as “jailbreak” or “exploit” techniques that trick ChatGPT into bypassing safety measures, are excluded from this bounty program’s scope.

Response to Previous Security Incidents

This enhanced reward structure comes following a personal data exposure incident in March 2023. At that time, OpenAI experienced an event where approximately 1.2% of ChatGPT Plus subscribers had their chat content, names, email addresses, payment addresses, and partial credit card information exposed due to a bug in the open-source Redis client library.

Industry Response and Expert Advice

The cybersecurity industry has responded positively to OpenAI’s announcement. Michael Skelton, Vice President at Bugcrowd, revealed that “a total of 209 vulnerability reports have been rewarded since the program began,” adding that “OpenAI continues to work diligently to ensure the security of their customers and users.”

Guidance for Security Researchers

Security experts advise that researchers should thoroughly understand the reward scope and criteria before participating in the program. With increased reward amounts, finding vulnerabilities that match OpenAI’s clearly defined conditions becomes even more important. Additionally, maintaining ethical and legal standards during the reporting process is essential for preserving a collaborative environment within the security community.