OpenAI has announced a major update to its bug bounty program, now offering rewards of up to $100,000 for identifying critical vulnerabilities. This change demonstrates the company’s commitment to strengthening platform security through collaborative research.
In a move to encourage in-depth and impactful vulnerability discoveries, OpenAI has introduced limited-time bounty bonuses. These are available for specific categories of reports submitted during promotional periods. Researchers who qualify can receive increased payouts during these windows.
Double Rewards for IDOR Vulnerabilities Until April 30
As part of this initiative, OpenAI is doubling payments for reports of Insecure Direct Object Reference (IDOR) flaws until April 30. These particular vulnerabilities can now earn researchers a maximum of $13,000.
OpenAI’s bug bounty program originally launched in April 2023 via Bugcrowd, a platform known for crowdsourced security research. Initial payouts reached up to $20,000, depending on the severity and impact of the vulnerability reported.
Model Safety Reports and Jailbreaks Remain Excluded
It’s important to note that OpenAI’s bounty scope does not cover model safety concerns. This includes chatbot jailbreaks or methods that bypass safety controls. These remain outside the current reward structure.
The program expansion follows a significant incident in 2023, when a Redis client bug caused a data breach on the ChatGPT platform. This issue exposed sensitive user data, including names, emails, billing addresses, and partial credit card numbers of around 1.2% of ChatGPT Plus subscribers.
OpenAI hopes these updates will inspire researchers to focus on technical vulnerabilities that could pose real threats to user privacy and platform stability.
