The OpenAI Bug Bounty Program Offers Up To $20,000 in Rewards

April 13, 2023Ravie LakshmananSoftware Security / Bug Hunt

OpenAI, the company behind the wildly popular ChatGPT AI chatbot, has launched bug bounty program in an effort to ensure the system is “safe and protected”.

To that end, it has partnered with a crowdsourced security platform Crowd of insects for independent researchers to report vulnerabilities found in their products in exchange for prizes ranging from “$200 for a finding of low severity to $20,000 for an extraordinary find.”

It should be noted that this program does not cover model security or hallucination problems, where the chatbot is asked to generate malicious code or other erroneous output. The company notes that “addressing these issues often involves substantial research and a broader approach.”

Other prohibited categories are denial-of-service (DoS) attacks, coercive OpenAI APIs, and demonstrations that aim to destroy data or gain unauthorized access to sensitive information beyond what is necessary to highlight a problem.

“Please note that official testing does not absolve you of all of OpenAI’s terms of service,” the company warns. “Abuse of the service may result in rate capping, blocking or banning.”

The scope, however, is defects in the OpenAI API, ChatGPT (including plugins), third party integrations, public exposure of OpenAI API keys, and any of the domains operated by the company.

This development was made in response to OpenAI’s takeover of patched accounts and data exposure flaws in the platform, prompting the Italian data protection regulator to take a closer look at the platform.

Italian Data Protection Authority Proposes Action to Lift ChatGPT Ban

Garante, which imposed a temporary ban on ChatGPT on March 31, 2023, has outlined a series of measures that Microsoft-backed companies must agree to implement by the end of the month for the suspension to be lifted.

“OpenAI shall compile and make available, on its website, an information notice explaining the settings and data processing logic required for the operation of ChatGPT together with the rights granted to the data subject,” Garante said.

In addition, an information notice must be made available to Italian users before signing up for the service. Users must also be asked to certify that they are over 18 years of age.

OpenAI has also been instructed to implement an age verification system by September 30, 2023, to screen users under the age of 13 and has provisions for seeking parental consent for users aged 13 to 18. Companies have been given until May 31 to submit plans for an age-gating system.

As part of efforts to exercise data rights, both users and non-users of the service should be able to request “correction of their personal data” if the data was incorrectly generated by the service, or alternatively, have the data deleted if the correction required is technically impractical.

Non-users, according to Garante, should next be provided with easily accessible tools to object to having their personal data processed by OpenAI algorithms. The company is also expected to run an advertising campaign by May 15, 2023, to “notify individuals about the use of their personal data for training algorithms.”

Update: Spain Opens Inquiry into OpenAI ChatGPT

Spanish Data Protection Authority (AEPD), on 13 April 2023, said it has started a preliminary investigation into the OpenAI ChatGPT service for alleged violations of EU data protection laws.

European Data Protection Agency (EDPB), at a related announcementssaid it was launching a “special task force to encourage cooperation and to exchange information on possible enforcement actions taken by data protection authorities.”