OpenAI to pay up to $20k in rewards through new bug bounty program

lots of lime-coloured padlocks set against a green background, with one orange padlock in the middle that's unlocked

(Image credit: Getty Images)

OpenAI has unveiled a new bug bounty program offering rewards for security researchers if they can uncover vulnerabilities in its products.

In an announcement on Tuesday, the California-based AI firm said the bug bounty scheme is “essential to our commitment to develop safe and advanced AI” and deliver services that are secure, reliable, and trustworthy.

As part of the initiative, OpenAI said it will offer a tiered reward system based on the severity of bugs uncovered by researchers.

Rewards can range from as little as $200 for low-severity flaws with a maximum reward of $20,000 for “exceptional discoveries”.

“The OpenAI Bug Bounty Program is a way for us to recognize and reward the valuable insights of security researchers who contribute to keeping our technology and company secure,” the firm said in a statement.

“We invite you to report vulnerabilities, bugs, or security flaws you discover in our systems. By sharing your findings, you will play a crucial role in making our technology safer for everyone.”

Researchers participating in the new initiative will be able to disclose vulnerabilities or flaws through a partner organisation, Bugcrowd.

Bugcrowd will manage the submission and reward process, which OpenAI said is designed to “ensure a streamlined experience for all participants”.

ChatGPT vulnerability concerns

The move from OpenAI follows a period of unrest over security-related issues at the generative AI firm, which has close ties with Microsoft.

Last month, the company revealed that a bug in ChatGPT led to a leak of users' data.

RELATED RESOURCE

Whitepaper cover with image of male colleague at workstation — (Image credit: TrendMicro)

SOC modernisation and the role of XDR

How to cope with increasing threats and IT sprawl

DOWNLOAD FOR FREE

This flaw meant that ChatGPT Plus users began seeing user email addresses, subscriber names, payment addresses, and limited credit card information.

The issue prompted the company to temporarily take the chatbot offline to work on a fix.

“The bug was discovered in the Redis client open-source library, redis-py,” OpenAI explained in a post at the time.

“As soon as we identified the bug, we reached out to the Redis maintainers with a patch to resolve the issue.”

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.