OpenAI has announced a new Outbound Coordinated Disclosure Policy, outlining its approach to responsibly reporting security vulnerabilities discovered in third-party software. This move signals the company’s commitment to fostering a safer digital environment as artificial intelligence becomes increasingly adept at identifying and addressing security threats.

Commitment to a Safer Digital Ecosystem

OpenAI’s new policy is designed to ensure that vulnerabilities found in both open-source and commercial software are reported in a manner that is respectful, collaborative, and beneficial to the broader technology community. The company emphasizes that as AI systems advance, coordinated vulnerability disclosure will become essential for maintaining trust and resilience in the digital ecosystem.

OpenAI’s AI-powered tools have already identified zero-day vulnerabilities in third-party and open-source projects. By formalizing its disclosure process, OpenAI aims to set a standard for responsible vulnerability reporting as the prevalence and complexity of such discoveries grow.

Key Features of the Disclosure Policy

Scope and Coverage

The policy applies to vulnerabilities discovered through ongoing research, targeted audits of open-source code used by OpenAI, and automated analysis with AI tools.

It covers both manual and automated code reviews, as well as issues surfaced during internal use of third-party software and systems.

Disclosure Process

OpenAI’s process details how vulnerabilities are validated, prioritized, and reported to vendors.

The company favors a non-public, cooperative disclosure approach, only going public if circumstances require it.

Principles guiding the policy include being impact-oriented, cooperative, discreet by default, scalable, and providing attribution when appropriate.

Flexible Timelines and Developer-Friendly Approach

• OpenAI has opted for open-ended disclosure timelines by default, recognizing that as AI becomes more capable at analyzing and patching code, the nature of vulnerability discovery is evolving.
• This flexibility allows for deeper collaboration with software maintainers and ensures that complex bugs can be addressed thoroughly and sustainably.
• The company retains the option to disclose vulnerabilities publicly if it serves the public interest.

Looking Ahead: Continuous Improvement and Community Engagement

OpenAI’s policy is designed to evolve as the company learns from ongoing experience. The organization encourages feedback from vendors, researchers, and the wider community, inviting questions and suggestions at [email protected].

OpenAI underscores that security is an ongoing journey, shaped by transparency and collaboration. By openly sharing its approach, the company hopes to inspire a more secure and resilient software ecosystem for all.