OpenAI, the organization responsible for the creation of the widely popular ChatGPT AI chatbot, has recently initiated a bug bounty program with the primary goal of maintaining the safety and security of its systems. In order to achieve this, OpenAI has joined forces with Bugcrowd, a crowdsourced security platform, to enable independent researchers to report any vulnerabilities they might discover in the company's product. As an incentive, rewards will be given, starting from $200 for low-severity findings and reaching up to $20,000 for exceptionally groundbreaking discoveries.
It is important to mention that the bug bounty program does not include issues related to model safety or hallucination, situations in which the chatbot might be prompted to generate malicious code or other problematic outputs. OpenAI has clarified that addressing these types of issues typically necessitates extensive research and a more comprehensive approach.
The program also excludes certain categories such as denial-of-service (DoS) attacks, brute-forcing OpenAI APIs, and demonstrations aiming to destroy data or gain unauthorized access to sensitive information beyond what is needed to illustrate the issue. OpenAI has also warned that authorized testing does not exempt participants from the company's terms of service, and abuse of the service may result in rate limiting, blocking, or banning.
However, the bug bounty program does encompass defects found in OpenAI APIs, ChatGPT (including plugins), third-party integrations, public exposure of OpenAI API keys, and any domains operated by the organization.
This development is a direct response to OpenAI's recent efforts to fix account takeover and data exposure vulnerabilities in their platform, which caught the attention of Italian data protection regulators. The Garante, which imposed a temporary ban on ChatGPT on March 31, 2023, has provided a list of measures that the Microsoft-backed company must agree to implement by the end of the month in order for the suspension to be lifted.
Among these measures, OpenAI is required to create and publish an information notice on its website detailing the data processing arrangements and logic necessary for the operation of ChatGPT, as well as the rights granted to data subjects. The information notice must be easily accessible to Italian users prior to signing up for the service, and users will be required to confirm that they are at least 18 years old.
Additionally, OpenAI has been instructed to establish an age verification system by September 30, 2023, to exclude users under 13 years of age and to obtain parental consent for users aged between 13 and 18. The company has until May 31 to present a plan for this age-gating system.
In an effort to promote data rights, both users and non-users of the service should have the ability to request rectification of their personal data in cases where it has been inaccurately generated by the service or, alternatively, have the data deleted if corrections are technically unfeasible. The Garante has also mandated that non-users should be given easily accessible tools to object to the processing of their personal data by OpenAI's algorithms. Finally, OpenAI is expected to launch an advertising campaign by May 15, 2023, to inform individuals about the use of their personal data for training algorithms.