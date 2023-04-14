OpenAI launched a new bug bounty program that offers cash rewards ranging from $200 to $6,500 per vulnerability, depending on the severity.

The scope of the program focuses on APIs, third-party corporate targets, ChatGPT, API keys, and some websites which are subdomains of openai.com.

OpenAI also stated that model safety issues aren’t included in the bug bounty program, and issues related to the content of model prompts and responses are out of scope.

OpenAI, the creator of ChatGPT, announced the launch of its new bug bounty program. With the program, the company is expecting ethical hackers to help the company to eliminate vulnerabilities and bugs. The Bugcrowd page of the bug bounty program is now live, and currently, 29 vulnerabilities were rewarded with a $694.73 average payout.

$20.000 maximum reward

According to the announcement, the priority rating for most findings will use the Bugcrowd Vulnerability Rating Taxonomy. But vulnerability priority and reward may be modified based on likelihood or impact at OpenAI’s sole discretion. The reward per vulnerability varies between $200 to $6.500. Rules of engagement for the bug bounty program are:

You are authorized to perform testing in compliance with this policy.

Follow this policy and any other relevant agreements. In case of inconsistency, this policy takes precedence.

Promptly report discovered vulnerabilities.

Refrain from violating privacy, disrupting systems, destroying data, or harming the user experience.

Use OpenAI’s Bugcrowd program for vulnerability-related communication.

Keep vulnerability details confidential until authorized for release by OpenAI’s security team, which aims to provide authorization within 90 days of report receipt.

Test only in-scope systems and respect out-of-scope systems.

Do not access, modify, or use data belonging to others, including confidential OpenAI data. If a vulnerability exposes such data, stop testing, submit a report immediately, and delete all copies of the information.

Interact only with your own accounts unless authorized by OpenAI.

Disclosure of vulnerabilities to OpenAI must be unconditional. Do not engage in extortion, threats, or other tactics to elicit a response under duress. OpenAI denies Safe Harbor for vulnerability disclosure conducted under such circumstances.

OpenAI also clarified that model safety issues are not included in the bug bounty program because they are not individual, discrete bugs that can be directly fixed. It requires substantial research and a broader approach to address these issues. The scope includes API targets, third-party corporate targets, OpenAI API keys, OpenAI Research Organization, and ChatGPT, including ChatGPT Plus, logins, subscriptions, OpenAI-created plugins, and all other functionality.