惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The Last Watchdog
The Last Watchdog
博客园_首页
Martin Fowler
Martin Fowler
S
SegmentFault 最新的问题
美团技术团队
小众软件
小众软件
V
V2EX
博客园 - Franky
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
The GitHub Blog
The GitHub Blog
Microsoft Security Blog
Microsoft Security Blog
Attack and Defense Labs
Attack and Defense Labs
S
Security Affairs
Simon Willison's Weblog
Simon Willison's Weblog
I
Intezer
T
The Exploit Database - CXSecurity.com
有赞技术团队
有赞技术团队
S
Schneier on Security
人人都是产品经理
人人都是产品经理
Security Archives - TechRepublic
Security Archives - TechRepublic
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
K
Kaspersky official blog
PCI Perspectives
PCI Perspectives
AI
AI
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
罗磊的独立博客
O
OpenAI News
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
The Register - Security
The Register - Security
V
Vulnerabilities – Threatpost
GbyAI
GbyAI
博客园 - 【当耐特】
C
Cisco Blogs
大猫的无限游戏
大猫的无限游戏
Help Net Security
Help Net Security
Google DeepMind News
Google DeepMind News
S
Securelist
Application and Cybersecurity Blog
Application and Cybersecurity Blog
P
Proofpoint News Feed
博客园 - 三生石上(FineUI控件)
雷峰网
雷峰网
L
LangChain Blog
SecWiki News
SecWiki News
博客园 - 叶小钗
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
V2EX - 技术
V2EX - 技术
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
J
Java Code Geeks
L
LINUX DO - 热门话题
Cisco Talos Blog
Cisco Talos Blog

OpenAI News

Using custom GPTs ChatGPT for customer success teams Applications of AI at OpenAI Research with ChatGPT Analyzing data with ChatGPT Financial services Responsible and safe use of AI Writing with ChatGPT ChatGPT for research Creating images with ChatGPT Personalizing ChatGPT ChatGPT for finance teams Getting started with ChatGPT Working with files in ChatGPT ChatGPT for sales teams Prompting fundamentals ChatGPT for managers Using projects in ChatGPT ChatGPT for marketing teams Brainstorming with ChatGPT AI fundamentals ChatGPT for operations teams Healthcare Our response to the Axios developer tool compromise Using skills OpenAI Full Fan Mode Contest: Terms & Conditions CyberAgent moves faster with ChatGPT Enterprise and Codex The next phase of enterprise AI Introducing the Child Safety Blueprint Introducing the OpenAI Safety Fellowship Industrial policy for the Intelligence Age OpenAI acquires TBPN Codex now offers more flexible pricing for teams Gradient Labs gives every bank customer an AI account manager OpenAI raises $122 billion to accelerate the next phase of AI Helping disaster response teams turn AI into action across Asia STADLER reshapes knowledge work at a 230-year-old company Inside our approach to the Model Spec Introducing the OpenAI Safety Bug Bounty program Helping developers build safer AI experiences for teens Update on the OpenAI Foundation Powering Product Discovery in ChatGPT Creating with Sora Safely How we monitor internal coding agents for misalignment OpenAI to acquire Astral Introducing GPT-5.4 mini and nano OpenAI Japan announces Japan Teen Safety Blueprint to put teen safety first Equipping workers with insights about compensation Why Codex Security Doesn’t Include a SAST Report Designing AI agents to resist prompt injection From model to agent: Equipping the Responses API with a computer environment Rakuten fixes issues twice as fast with Codex Wayfair boosts catalog accuracy and support speed with OpenAI Improving instruction hierarchy in frontier LLMs New ways to learn math and science in ChatGPT OpenAI to acquire Promptfoo Codex Security: now in research preview How Descript engineers multilingual video dubbing at scale How Balyasny Asset Management built an AI research engine Reasoning models struggle to control their chains of thought, and that’s good Introducing GPT-5.4 GPT-5.4 Thinking System Card Ensuring AI use in education leads to opportunity VfL Wolfsburg turns ChatGPT into a club-wide capability OpenAI and NORAD team up to bring new magic to “NORAD Tracks Santa” Accenture and OpenAI accelerate enterprise AI success OpenAI takes an ownership stake in Thrive Holdings to accelerate enterprise AI adoption What to know about a recent Mixpanel security incident Expanding data residency access to business customers worldwide Our approach to mental health-related litigation Inside JetBrains—the company reshaping how the world writes code Introducing shopping research in ChatGPT How GPT-5 helped mathematician Ernest Ryu solve a 40-year-old open problem OpenAI and Foxconn collaborate to strengthen U.S. manufacturing across the AI supply chain Disrupting malicious uses of AI: June 2025 Creating websites in minutes with AI Website Builder Addendum to OpenAI o3 and o4-mini system card: OpenAI o3 Operator OpenAI Deutschland Shipping code faster with o3, o4-mini, and GPT-4.1 Introducing Stargate UAE New tools and features in the Responses API Introducing Codex Addendum to o3 and o4-mini system card: Codex AI powers Expedia’s marketing evolution Strengthening America’s AI leadership with the U.S. National Laboratories Introducing ChatGPT Gov Operator System Card Computer-Using Agent Introducing Operator Bertelsmann powers creativity and productivity with OpenAI Trading Inference-Time Compute for Adversarial Robustness Announcing The Stargate Project Stargate Infrastructure The power of personalized AI Delivering LLM-powered health solutions Increasing accuracy of pediatric visit notes Practices for Governing Agentic AI Systems Superalignment Fast Grants Weak-to-strong generalization Partnership with Axel Springer to deepen beneficial use of AI in journalism
Outbound coordinated disclosure policy
2025-09-22 · via OpenAI News
OpenAI

September 22, 2025

OpenAI is committed to enhancing global software security by responsibly disclosing vulnerabilities discovered in third-party software. This policy governs how OpenAI reports and discloses vulnerabilities we discover in third-party software to vendors and open source maintainers. In these reports we aim to be cooperative, impactful, and maintain high integrity standards.

This policy lays out how we disclose issues found in open-source and commercial software through automated and manual code review, as well as discoveries arising from internal usage of third-party software and systems. Detection methods may include:

  • AI- or agent-powered application security analysis.
  • Security research, audits, and fuzzing of open-source software.
  • Evaluations of vendor-supplied or third-party software used within OpenAI operations.
  • Other methods as appropriate.

Ecosystem security: A primary goal is to improve ecosystem security.

Cooperative: Good faith, helpful engagements. Third party inbound disclosure processes are respected, subject to exceptions in this policy.

Discreet by default: Initial disclosures are private. Public disclosures usually occur only after explicit vendor or open source maintainer consent, subject to exceptions set out below. 

High scale, low friction: Validated, actionable disclosures are sent. 

Attribution when relevant: Vulnerabilities will be credited as discovered by OpenAI Security Research - Aardvark. Where applicable, we may attribute discovery to specific individuals, systems, or agents.

  1. Identification and Validation
    Upon discovery, each finding is validated for security impact. Reports typically include:
    • Impact summary (e.g., denial‑of‑service, memory corruption)
    • Affected versions / commit ranges
    • Reproduction steps or a proof‑of‑concept (PoC) where possible
    • Reproduction aids (e.g., Docker image) where feasible
  2. Peer Review
    Each disclosure undergoes an internal review process prior to release, including peer review by a security engineer for accuracy, reproducibility, and quality.
    • Where a vulnerability is discovered by an automated system, a security engineer reviews the disclosure before it is released.
    • Where a vulnerability is discovered by a security engineer, a second security engineer reviews the disclosure.
  3. A security program manager coordinates disclosures, maintains records, and manages vendor interactions.
  4. Disclosure Process
    • Reporting Channel. We will generally seek to follow the inbound disclosure procedures of the vendor or open source maintainer who is to receive the disclosure. We reserve the right to follow an alternate procedure at our discretion. Our preferred methods for disclosure include vendor security emails (e.g. the company’s Product Security Incident Response Team email intake), or private GitHub reporting. Submissions to public trackers such as GitHub Issues are avoided by default. We generally will not participate in Bug Bounty programs.
    • Internal Handling. OpenAI’s outbound disclosure communications are managed through a mailing list dedicated for this purpose. Access to this mailing list will be internally restricted in the interest of confidentiality and discretion. Internally, a member of our disclosure team will examine our own use of the affected product or code. If use is found, we engage appropriate teams in accordance with our policies.
    • External Disclosures. In certain circumstances, in the absence of consent from the vendor or open source maintainer, OpenAI may share information with appropriate third parties that play a role in receiving, analyzing or disseminating vulnerability information in addition to, or instead of, the vendor or open source maintainer. These may include disclosures to the public, or to a more limited set including to CERTs, CISA and other bodies within and outside the United States with responsibilities for ingestion and dissemination of vulnerability information.
  5. Public Disclosure Timeline
    We do not commit to strict publication timelines. Public disclosures may occur in the following circumstances, where:
    • Explicit vendor permission is obtained.
    • There is credible evidence of active exploitation.
    • Notifying or attempting to notify the vendor or open source maintainer may be futile, including because the recipient may not be reachable or may not be responsive.
    • The vendor or open source maintainer is unlikely to take appropriate action or has not acted with appropriate diligence after receiving notice.
    • Disclosure is essential for protecting the rights, privacy, safety, security or property of OpenAI, its users, third parties, or the public interest.
    • Disclosure is required by law.

There may be exceptions in certain cases. For example, if timelines shift or there is a material difference in views around severity or patching, we may proceed with disclosure to ensure transparency and consistency in our process.

We reserve the right to change or deviate from this policy and our procedures implementing it. We anticipate that these will change substantially as security research and application security testing become increasingly automated with advances in AI. This policy does not create a contract, confer rights, or form the basis for reliance by any party.