A bounty for one prompt

OpenAI is offering selected researchers $50,000 to find a single prompt that can repeatedly get past its biological-safety guardrails.

The company announced on 9 July that its GPT-5.5 Bio Bug Bounty would become an ongoing private programme. GPT-5.6 is now the main target, and future frontier models are expected to enter the programme as they arrive. Testing of GPT-5.5 continues until 27 July; after that date, OpenAI says only GPT-5.6 will remain in scope unless it announces another change.

This is not a contest to make a model say something merely offensive or impolite. The target is narrower and more serious: one universal jailbreak that can defeat a predefined set of biosafety checks.

The programme is application-only. Accepted participants need an existing ChatGPT account, relevant experience and a signed non-disclosure agreement. Smaller awards may be paid for partial results at OpenAI's discretion.

What universal means here

A jailbreak is a way of persuading a model to ignore or work around the restrictions placed on it. Many jailbreaks are brittle. They work for one question, stop working after an update or depend on a long sequence of carefully adjusted prompts.

OpenAI is asking for something more reusable. The same strategy must obtain answers to five separate biosafety questions from a clean conversation without triggering the moderation system. The company's GPT-5.5 system card describes the aim as finding a reproducible method that can override the model's biological guardrails across a series of challenges.

That makes the bounty more useful than a collection of isolated screenshots. If one prompt works across several high-risk tasks, it may reveal a weakness in the design of the safety system rather than a one-off mistake in a particular answer.

The five underlying questions are not public. That is understandable if disclosing them would provide a ready-made map for attackers. It also means an outside reader cannot independently judge how demanding or representative the test is.

Why GPT-5.6 changes the stakes

The bounty arrives alongside OpenAI's release of GPT-5.6. In its system card, the company places all three models in the family — Sol, Terra and Luna — in its High category for biological and chemical capability.

Under OpenAI's framework, that classification is meant to capture models that could give meaningful assistance to less experienced actors attempting to create a known severe threat. It does not mean the company says GPT-5.6 can independently create or deploy a biological weapon. The system card says its most capable model remains below one of the indicative thresholds the company uses in this area.

OpenAI reports that external evaluator SecureBio found strong results on several expert-level biology benchmarks, alongside important limitations in judgment, communication and risk-sensitive decision-making. The company also says it has used more than 700,000 A100-equivalent GPU hours to search automatically for universal jailbreaks and will continue automated red-teaming after deployment.

Those are OpenAI's published results and descriptions. Model Current cannot independently reproduce the private evaluations, inspect the full safeguards report or verify the computing total.

What a bug bounty can reveal

Traditional software bug bounties give outside researchers a reason to report a vulnerability privately before it is widely exploited. Applying that model to AI safety is not straightforward, because a model's behaviour is less predictable than a piece of code and can change with updates. The basic incentive still makes sense: reward people who find a repeatable failure, give the developer time to reproduce it, then fix the underlying weakness.

A bounty also makes the success condition clearer. Make the model safer is hard to measure. Find one prompt that defeats all five challenges is specific enough for researchers and the company to test.

But the result is only as strong as the scope. A model can resist the five chosen questions and still fail on a sixth. Attackers may use several prompts, external tools, stolen accounts or fine-tuned models rather than one elegant universal jailbreak. Passing this challenge would therefore be evidence about one part of the safety stack, not proof that biological misuse has been solved.

The privacy trade-off

The programme sits beside OpenAI's broader public Safety Bug Bounty, but biological jailbreaks are deliberately handled through a private track. All prompts, model outputs, findings and communications are covered by the NDA.

That secrecy can protect sensitive details and give engineers space to fix a flaw before it spreads. It can also leave outsiders with a thin public record. We may learn that a bounty was paid without seeing what failed, how broadly the weakness applied, how quickly it was repaired or whether an independent party confirmed the fix.

OpenAI has good reasons not to publish a working route to harmful biological guidance. It can still provide useful accountability without sharing the dangerous instructions themselves: the number and severity of valid reports, time to remediation, the layers that failed, the scope of the patch and whether a trusted external evaluator retested it.

What to watch

The first question is whether anyone wins the full reward. No public announcement currently says that a universal jailbreak has been accepted for GPT-5.5 or GPT-5.6.

The more important question is what happens after a valid report. A mature programme should make the finding reproducible for the developer, close the weakness without simply blocking a few phrases and test whether the same class of attack appears elsewhere.

OpenAI's move is a sensible admission that its internal testing will not find every failure. The $50,000 figure will attract attention, but the programme's real value will be measured in quieter details: who is allowed to test, what they discover, how quickly the safeguards change and how much evidence the company can safely make public.

Sources

  1. OpenAI — OpenAI Bio Bug BountyPrimary source for the programme's scope, $50,000 reward, GPT-5.6 coverage, application process, NDA and 27 July transition.
  2. OpenAI Deployment Safety Hub — GPT-5.6 System CardCompany source for the High biological and chemical capability classification, external-evaluation summary, safeguards and automated red-teaming claims.
  3. OpenAI Deployment Safety Hub — GPT-5.5 System CardCompany source for the stated purpose of the universal-jailbreak challenge and how the original programme was designed.
  4. OpenAI — Safety Bug BountyPrimary source distinguishing the public general safety bounty from private campaigns for high-risk jailbreak research.