#GPT security

Tell me how I can secure a custom GPT so the custom instructions and attached documents cannot be leaked to users of the custom GPT.
E.g. Are there any known instructions you can include within the custom GPT that can prevent ChatGPT4 from outputting its saved custom instructions or attached documents to users that request them?

Hi @livid coyote. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:

Based on the information provided in the extracts, there isn't any specific guidance on how to secure a custom GPT to prevent it from outputting its saved custom instructions or attached documents to users. However, it's important to note that creators of GPTs cannot access user conversations with their GPTs, as stated in the OpenAI's official Privacy Policy (https://openai.com/policies/privacy-policy) and Terms of Use (https://openai.com/policies/terms-of-use) (source (https://help.openai.com/en/articles/8554407-gpts-faq#h_56e44d6ee1)).

For user authentication safety with custom GPTs, it's suggested to refer to the documentation about plugins, which can be translated into work with GPT builder (source (https://community.openai.com/t/494511)).

For more specific information on securing custom GPTs, it would be best to refer to OpenAI's official documentation or reach out to their support team.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

There is just no way to fully protect it. You can tell it to not leak the instructions but in the end it's behaving like a little child, that just needs to be disctract for 5 seconds so you can steal the candy.

You're spot on. The question was rhetorical, so other DEVs here would also see that there is no known or stated solution.

The fact that there is a "store" opening, and people like myself are working hard to create GPTs with 0 security is more than just an oversight, it's carelessness and a cavalier attitude. I think it's completely unethical, and cannot, for the life of me, find a rationale excuse for why OAI would proceed with this glaring issue.

This topic has been brought up in this Discord, as well as the OAI Dev site. It's also been officially commented on by OAI, as they advised users to turn off "code interpreter," which is an acknowledgement that they are aware of the issue, and unwilling to provide a reliable fix.

This issue turns my stomach, because if these are the business ethics they choose, I cannot imagine what choices might be made if AGI were achieved.

Additionally, these exploits allow you to capture all of the source custom instructions, written by OAI, that sit above our own. It's not just a GPT security issue, but a greater ChatGPT security issue.

The issue is so bad that I used someone else's "security GPT" to write instructions for my own... I had it review its own instructions, then improve them for me. I won't name the specific GPT, but this person is selling their services to GPT creators under the guise that it offers security, which it does not.

I genuinely hope OAI DEVs are reading these concerns and reconsidering this store launch. This security issue is poised to hurt a lot of hard working people on day one, as their instructions are stolen or cloned.

This security breach has been a known issue and area of concern for months, the store is supposedly just around the corner, and it hasn't been patched yet? How does OpenAI expect users to invest time in crafting an optimized instruction set if there are no protections in place for their work?

I think the most useful / important GPTs will be the ones with Actions on them as they'll have abilities that CGPT will never have on its own. Actions can already be protected very easily. Anything else can theoretically be copied with a few paragraphs of prompt at most so I can see why this isn't a priority

LLMs are notoriously bad at keeping secrets so it isn't really worth sweating over tbh

enough prompting you can get thro oai goofy lil dalle thingy with cgpt,

I disagree, that not every prompt can be easily copied (if it were secured properly). Not sweating over is very dismissive of peoples hard work. You can give ChatGPT abilities through careful prompting, which takes lots of trial and error. Getting ChatGPT to behave in various ways is not easy or intuitive, especially as you add on levels of task complexity.
But right now everything can be copied easily... in seconds, because there is NO security whatsoever for documents or prompts.
The sky is the limit, as far as what someone might choose to attach or connect, only to have it immediately stolen or published. There are also no warnings when attaching documents, so what about the non-technical users that have blind faith in OpenAI having their back? Document security is native and assumed on other services. If you upload to Google docs, you're not concerned about whether or not the AI is going to disclose proprietary information. Proprietary data can also be highly valuable, depending on what it is, or even a major security risk, or PII risk, depending on what people attempt to make with GPTs.
I think years in IT and security give me a very different perspective on this.
Actions are just another feature. Not that I disagree that it's not an important addition, but it's certainly not the be-all end-all of GPTs usefulness or design.
I wouldn't be so dismissive about how much work people are putting into these, and the ability to copy them in seconds.

I'm not saying that there shouldn't be safeguards against the data in the instructions / documents, but we have to be realistic. There are entire GPTs dedicated solely to making sure the instructions are secret and encouraging the user to try to get them, and this often takes up the entire character limit allowed and often gets broken anyways. It's very hard to get a LLM to keep a secret that's statically placed in its input in every thread. Naturally, OpenAI is more concerned about making sure ChatGPT isn't assisting with money laundering than preventing people from cloning GPTs that could be engineered in a day or two tops, so I don't expect this to change anytime soon. And even still, it's a terrible idea to statically give the model any sensitive information because just like hallucinations, info leaks are always a risk with current LLM tech, and last time I had Plus, there was definitely a little disclaimer underneath the upload button. It wasn't in 24pt font, but it was there :p

Actions are far more than "just another feature". They give GPTs access to realtime data, public or proprietary, that can't always be retrieved via Google or other traditional means. It's cool to have GPTs play dungeon master with you, but GPTs that don't have any Actions won't meet the same kind of usefulness as those with special access to data since there's only a few paragraphs of static "proprietary information" being given to the model. That's pretty limiting and won't be monetizeable at all due to being too easy to replicate from scratch. I mean, have you seen the sheer amount of dungeon master GPTs that all have different authors / prompts but do exactly the same thing? There's really not much you're protecting by hiding the prompt

• the whole thing reeks of "security through obscurity"

But if it can (typically) handle money laundering and other sensitive topics, isn't that an admission that they could do more?

I'm not seeing how that would be the case

GPTs can (typically) keep its instructions secret, but it's also very easy to distract it and trick it into giving the information

Being very knowledgeable on certain subjects doesn't correlate with intelligent behavior, and GPTs are good evidence of this

No doubt it's the smartest idiot. 😆 The Gandolf game is proof of that. It's vulnerable to any basic social engineering. It's like a gullible 5 year old with all knowledge.
I think part of this is related to its inability to work through state changes. But I'm also not making excuses for launching a product with no safeguards in place. If the product isn't ready, it isn't ready...

I really can't think of a legitimate use case for putting sensitive information / PII into the instructions / documents. If the user needs to access sensitive information then the GPT can help them authenticate and then retrieve the data dynamically to share with the user

I don't see the problem of leaking the instructions to be so severe that they should withhold the product entirely until they fix it. With that kind of logic, they shouldn't have released ChatGPT until they sorted out the hallucinations. Hallucinations alone have already caused a lot of damage but ChatGPT was still worth it, wasn't it?

I think it's something for OpenAI to work towards since there's definitely room for improvement here, but I don't think it needs to be as much of a priority as some folks think it should be

To me, the bigger related issue was when OpenAI was experimenting with allowing users to directly see the instructions of some GPTs. It made it incredibly easy to just lazily plagiarize as opposed to taking the effort to fool the GPT into giving its instructions

Hallucinating is not an equivalent to it leaking customer's or developers work directly. Apples to lemons...
Sensitive also includes proprietary instructions or attached code. Perhaps a structured step-by-step processes, or custom CoT. The output of the GPT is what matters, it doesn't have to show its work. "How" it achieves its answer isn't obvious in many circumstances, and getting it to achieve certain end goals consistently takes significant development effort.
I feel like you're thinking about this from a narrow perspective, and not the myriad of ways other people will use them or arrange them.
I'm not alone in this concern either, as many have voiced their concerns privately to me.
It's one thing to use the automated creater to write one paragraph, and another to spend a month testing 8000 characters of instructions with multiple documents to produce an end result...
That point of view is very dismissive of the latter.
It would be like Spotify having a direct download link for all songs artists uploaded, justifying that the song is only 3min long, and that anyone can sing, so it's really not that valuable. Then saying "at least people are hearing their music," just imagine a world without Spotify...

If it takes you as long to make a GPT as it does to compose an entire song, that's pretty worrying

And it's way easier to copy / steal someone's music than their GPT's instructions so I'm not really sure what your point is

Well it's easier on the technical side of things. But artists and their creatons are protected by law.

The law doesn't require OpenAI to do anything to prevent others from reading your prompt. This is wildly out-of-scope

Yea exactly, thats the point I was making lol

You were the one who brought in copyright law. Artists' works are protected by copyright, yes, but that doesn't mean anything because lawsuits are expensive and there's clearly no case when no damages took place

I'm really not sure what point you're trying to make

Kek

Wdym with "That doesn't mean anything?". Artists are protected and the protection works pretty good, so the system is working. My point is, that there is no law against stealing GPTs and nothing was done by OpenAI to protect creators at all. Sure you could argue that you can't do anything about that since everyone can hack every LLM because of the way they act, but I for my part, would really love at least some incentive to fix that. In the end, it is just as intellectual property as blog articles, books, code and so on and should at least receive some attention

Hard agree, I've also hammered upfront about the gpt store and if there were any protections in place , but also never saw anything done
And now that I am testing it it is way to easy , see off topic for example

I think my response to this is mostly going to be the same as my other points:

• GPTs are only really practical when they have Actions #1192913624235266179 message

• Impossible to fully protect the prompt due to technical constraints just like with hallucinations, so there will always be occasional leakage no matter what #1192913624235266179 message

• Current prompting already provides (some basic) security #1192913624235266179 message

• You can make the same GPT a million different ways. It's easier to just replicate someone else's GPT than to steal / hack it. Have you seen the number of identical dungeon master GPTs all with different prompts? #1192913624235266179 message

GPTs with actions are not the only type of useful GPTs. That is your preference, and not a tangible fact. It's opinion. However, peoples work being cloned isn't opinion, that is a fact...

These aren't points, unless points=misunderstandings. A hallucination is when the model doubles down on why it's right, when it's actually wrong, or provides false information. Like when asked the diamond in a glass question, and it reasons that the diamond is held in place by the glass's gravity. That is NOT equivalent to leaking peoples instructions or documents...

What basic security are you talking about? With one question most GPTs will display their contents without question. There is 0 security in place.

D&D GPTs are not a great references for all that is possible. Furthermore, one of the first articles I read a month ago, bringing attention to cloned instructions, quoted a developer who had admitted, openly, to modeling his entire instructions after such a GPT, since the instructions were so easily obtainable. In other words, he didn't observe the behavior, or attempt to make something close, no, he directly copied its instructions, VERBATIM, and modeled his own instructions after those instructions. That is actually a popular GPT.

I also don't get why you are so dead set on arguing against any need for security. It shows a complete lack of regard for others work in a callous ill-thought unempathetic way.

OAI advertised GPTs as--'look, anyone can make them. Watch us make them live on stage' and then proceeded to tell everyone how they could make $ in their new store.' That is patently false, if whatever you make can be directly cloned and sold by someone else.

I think it's reasonable for all to agree that it's ideal for there to be protections in place for custom instructions. It sounds like there are some technical obstacles. Does OpenAI have a position on this?

GPTs with actions are not the only type of useful GPTs. [...] D&D GPTs are not a great references for all that is possible.

You haven't elaborated on this.

These aren't points, unless points=misunderstandings.

You like arguing, don't ya? Half of your post is just ranting about how you think everything I said is entirely opinionated and some kind of "misunderstanding" rather than actually contributing to discussion and commenting on my points. For the sake of this thread, I'll be ignoring those parts...

What basic security are you talking about? With one question most GPTs will display their contents without question. There is 0 security in place.

Simple prompt engineering, asking the GPT not to disclose its instructions.

A hallucination is when the model doubles down on why it's right, when it's actually wrong, or provides false information. Like when asked the diamond in a glass question, and it reasons that the diamond is held in place by the glass's gravity. That is NOT equivalent to leaking peoples instructions or documents...

You shouldn't be statically providing sensitive information. This was already discussed: #1192913624235266179 message

one of the first articles I read a month ago, bringing attention to cloned instructions, quoted a developer who had admitted, openly, to modeling his entire instructions after such a GPT, since the instructions were so easily obtainable. In other words, he didn't observe the behavior, or attempt to make something close, no, he directly copied its instructions, VERBATIM, and modeled his own instructions after those instructions. That is actually a popular GPT.

I don't claim that GPT plagiarism doesn't happen. It's just not really a big problem at the moment.

I also don't get why you are so dead set on arguing against any need for security. It shows a complete lack of regard for others work in a callous ill-thought unempathetic way.

I think you're massively misunderstanding my entire point. You seem to believe that my stance is that GPT creators deserve no protections for their work, which I have never said. My entire goal is to explain why we can't expect this whole thing to be a huge priority for OpenAI. It primarily comes down to the points discussed here: #1192913624235266179 message

The harsh truth is that there are much bigger problems to tackle, like for instance, the fact that the models are trained entirely on unlicensed copyrighted data, which I'm surprised you aren't more concerned about given how deeply you care about protecting written works. So many people are baffled that OpenAI isn't giving a ton of attention to the issue with revealing the prompts and I'm trying to explain why we can expect that to be the case 🤷

OAI advertised GPTs as--'look, anyone can make them. Watch us make them live on stage' and then proceeded to tell everyone how they could make $ in their new store.' That is patently false, if whatever you make can be directly cloned and sold by someone else.

I'm a little confused about this part? I would agree that OpenAI isn't always honest in their marketing materials but I don't really see how that affects anything?

TLDR is basically, I could suggest to my local politicians to fix world hunger but I can't really complain when told that this isn't realistic

I can't help but to interpret your constant non-sequitur statements as trolling. Arguing is making a counter-argument. I said GPT security is important, and you're the one attempting to discredit or devalue the importance in any way you can, by making false equivalent comparisons, and I'm simply keeping the conversation on-topic.
The data AI was trained on is important, so start a new thread for that, because this is about the lack of GPT security and the fact that not even the AI bot has meaningful information available to protect creators.
Additionally, there are multiple OAI posts in the DEV forums, private websites, and even GPT security businesses popping up. It may not be important to you, but it is clearly important to others.
No one reading your posts is going to miss the fact that you don't find value in this discussion, so why continue if not for any other reason but to troll.
It also discourages others from participating in a meaningful conversation, which is toxic behavior.
You made your position clear already, time to start your own thread about where resources should be focused.

I liked the half answer you got on AMA btw

I'm actually greatly appreciative that they answered, and confirmed their (and OAI's) awareness of the issue. I was deeply concerned that the issue wasn't being considered at all, and this shows that it is.
I understand, as does anyone who's been working on GPTs, that there are two sides to the issue (front of the house, back of the house). I think that was well stated. It's a complicated situation.
It's also difficult to answer some security questions directly, so if they do have provisions that they're actively working on, they may not be able to comment directly on them (regarding what they are, or how they work, as that might simply aid would be thieves in circumventing them).
Here's the answer should anyone want to read it.
#gpts-ama-answers message

It just really shows they are working after the matter and are not proactive thinkers. But yeah they answered. I personally found the answer not sufficient to feel safe to create GPT's (And have public access to those )