OpenAI has increased its maximum bug bounty to $100,000 (from $20,000) as it plans to outsource the discovery of critical vulnerabilities in its infrastructure and products.
The new bounty program is part of OpenAI's suite of security initiatives, including funding security research projects, ongoing red teaming, and engagement with open source communities.
In addition to higher payouts for critical bugs, OpenAI said it will be running bonus promotions for a limited time that will apply to reports that meet all standards and requirements.
“During such promotions, researchers who submit relevant reports in certain categories will be eligible for additional bonuses,” company representatives say.
For example, through April 30, OpenAI is doubling rewards to researchers who report Insecure Direct Object Reference (IDOR) vulnerabilities in its infrastructure and products, setting the maximum reward at $13,000.
OpenAI also announced an expansion of its Cybersecurity Grant Program, which has already funded 28 research initiatives since its launch in 2023. OpenAI said the projects receiving funding focus on topics such as prompt injection, secure code generation, and the development of autonomous cybersecurity defense systems.
The program now invites specialists who work on projects on software remediation, model confidentiality, threat detection and response, security system integration, and resilience to complex attacks.
OpenAI also announced the launch of microgrants, which will be issued in the form of API credits, which should help researchers quickly develop prototypes of creative solutions.
Let's recall that the OpenAI bug bounty program was launched in 2023 , and the maximum payout for critical bugs was $20,000.
The launch of the rewards program comes a month after a major data breach of ChatGPT users. At the time, people were able to see other people’s requests to the chatbot, and some ChatGPT Plus subscribers were also able to see other users’ personal data, including the subscriber’s name, email address, billing address, and even the last four digits of their credit card number and expiration date. As it turned out, the problem was caused by a bug in the open-source Redis client library.