Do i get a role if i find a potentially exploitable bug | OpenAI | Page 1

pastel tide Apr 30, 2026, 7:48 AM

#

hypothetically of courseee

prisma cedarBOT Apr 30, 2026, 7:48 AM

#

Hi @pastel tide. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:

#

Finding a security vulnerability in OpenAI's systems won't get you a formal "role," but you can receive the following recognition and rewards:

Public acknowledgment: If you request it, OpenAI will credit you (by name, alias, and/or affiliation) in any published advisory, release notes, or CVE disclosure page. [CVE assignment policy]
Monetary reward: If you submit the report through OpenAI's Bug Bounty Program (hosted on Bugcrowd), you may be eligible for a cash reward, subject to their published rules. [CVE assignment policy]

To report a vulnerability, you should follow OpenAI's Coordinated Vulnerability Disclosure Policy and submit through the Bug Bounty program on Bugcrowd. [vulnerability disclosure policy]

A couple of important notes:

AI model "jailbreaks," hallucinations, or policy bypasses are out of scope for the CVE/bug bounty program — those should be reported through separate AI safety channels.
OpenAI aims to acknowledge reports within 3 business days and asks that you keep the vulnerability confidential until a fix is in place. [CVE assignment policy]

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

#

@pastel tide Kapa.ai is still learning and improving, please let me know how I did by reacting below.

pastel tide Apr 30, 2026, 7:49 AM

#

@prisma cedar what if the bug lets you repeat as many prompts as you want in a chat with attachments

prisma cedarBOT Apr 30, 2026, 7:49 AM

#

Let me check the knowledge base for you again. One moment! :books:

#

Based on the knowledge sources available, I can't definitively classify this specific scenario for you. However, here's what the policies do say:

What's likely out of scope:
If the bug relates to AI model behavior — e.g., bypassing limits on how many prompts or messages you can send by exploiting the model itself — that could fall under "policy bypasses," which are explicitly excluded from the CVE/bug bounty scope. [CVE assignment policy]

What could be in scope:
If the bug is a technical security vulnerability — for example, a flaw in the underlying software or infrastructure that lets you circumvent usage limits in a way that could compromise the confidentiality, integrity, or availability of OpenAI systems — that could fall within scope. [CVE assignment policy]

The honest answer: The distinction can be nuanced, and OpenAI's security team would need to assess it. The best course of action is to:

Report it through the Bug Bounty Program on Bugcrowd or via the Coordinated Vulnerability Disclosure Policy.
Let OpenAI's security team triage and determine whether it qualifies. [vulnerability disclosure policy]

OpenAI aims to acknowledge reports within 3 business days and will investigate to determine impact and severity. Even if it doesn't qualify for a CVE or bounty, reporting it in good faith is the right move.

#Do i get a role if i find a potentially exploitable bug

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

OpenAI aims to acknowledge reports within 3 business days and will investigate to determine impact and severity. Even if it doesn't qualify for a CVE or bounty, reporting it in good faith is the right move.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: