Apr 12, 2023 11:50:00

OpenAI launches bug bounty program for AI systems such as ChatGPT, bounty up to 2.7 million yen Excluding model content filtering etc.

OpenAI , an AI development company that developed ChatGPT for interactive AI, has partnered with bug bounty platform Bugcrowd to launch a new bug bounty program to ensure the safety of AI systems. Security researchers who report vulnerabilities are awarded $200 to $6,500 (about 27,000 yen to about 869,000 yen) for each vulnerability, up to $20,000 (about 270 10,000 yen) will be awarded.

We're launching the OpenAI Bug Bounty Program — earn cash awards for finding & responsibly reporting security vulnerabilities. https://t.co/p1I3ONzFJK

— OpenAI (@OpenAI) April 11, 2023

Announcing OpenAI's Bug Bounty Program
https://openai.com/blog/bug-bounty-program

OpenAI's bug bounty program - Bugcrowd
https://bugcrowd.com/openai

OpenAI launches bug bounty program with rewards up to $20K
https://www.bleepingcomputer.com/news/security/openai-launches-bug-bounty-program-with-rewards-up-to-20k/

OpenAI to offer users up to $20,000 for reporting bugs | Reuters
https://jp.reuters.com/article/openai-bug/openai-to-offer-users-up-to-20000-for-reporting-bugs-idUSL4N36E3KW

In a blog announcing the launch of its bug bounty program, OpenAI said, ``OpenAI invests heavily in research and engineering to ensure our AI systems are secure, but like all complex technologies, , we understand that vulnerabilities and flaws can appear in systems, and we believe that transparency and cooperation are essential to addressing this reality. We invite the global community of security researchers, ethical hackers, tech enthusiasts, and others to work together to identify and address vulnerabilities in our systems, providing incentives for vulnerability information. We are excited to build a coordinated disclosure commitment by doing so.'

In launching the bug bounty program, OpenAI asks you to look for security vulnerabilities according to the following rules.

・Promptly report any discovered vulnerabilities.
- Refrain from violating privacy, system interruptions, data destruction, and user experience violations.
・Report vulnerabilities through Bugcrowd.
・Keep the details of the vulnerability confidential until OpenAI's security team approves its disclosure.
・Do not access, modify, or use the data of others, including OpenAI's confidential data. If a vulnerability exposes these data, stop testing, report immediately, and delete copies of the data.
- Interact only with your own account, unless permitted by OpenAI.
・Disclose vulnerabilities unconditionally and do not use them for extortion or intimidation.

OpenAI is committed to providing a non-compliant safe harbor for vulnerability investigations conducted in accordance with its guidelines, cooperating in understanding and validating reports, and remediating validated vulnerabilities in a timely manner. .

The bug bounty program includes OpenAI's various APIs and related infrastructure, confidential information published through third parties, websites operated by OpenAI, etc., as well as ChatGPT's login and subscription plans, plugins, etc. It also includes inns.

However, it is security issues such as authentication and data leaks that are required to be reported through the bug bounty program, not model issues. OpenAI said, “Model safety issues are not discrete bugs that can be fixed directly, so they do not fit well into bug bounty programs. We need an approach, so that we can better address these issues, please report them using the appropriate form instead of the bug bounty program,' and circumventing or abusing protections using prompts. We invite you to report it through

the model's feedback report page .

The severity of reported vulnerabilities is evaluated based on Bugcrowd's vulnerability classification and OpenAI's judgment, and a bounty of $200 to $6500 is paid per vulnerability. There will also be a reward of up to $20,000 for 'exceptional discoveries.'

OpenAI has not mentioned a specific case as to why it launched the bug bounty program, but it may be related to the ``bug that allows you to see other people's chat history'' that occurred in ChatGPT in March 2023. BleepingComputer of IT media points out that there is. This bug was caused by the open source library redis-py used in the platform, and in addition to the chat history , some of the personal information of the subscribers of the paid plan 'ChatGPT Plus' was leaked .

ChatGPT has a bug that other people's chat history can be seen, ChatGPT is temporarily down to fix the bug & chat history remains unavailable - GIGAZINE

Reuters referred to a case in which Italy's access to ChatGPT was blocked in April in accordance with an Italian data protection agency's order to ``stop processing Italians' data''. “The move comes days after ChatGPT was banned in Italy for alleged breaches of privacy regulations, prompting regulators in other European countries to study generative AI services in more detail.” said Reuters.

OpenAI blocks access to ChatGPT from Italy - GIGAZINE