Skip to main content
OpenAI

November 20, 2025

OpenAI CVE assignment policy

OpenAI is a CVE Numbering Authority (CNA) for vulnerabilities in our products and services. We assign CVE IDs for security issues reported by external parties in OpenAI systems and publish CVE Records to the public CVE list(opens in a new window). We are committed to a transparent, cooperative disclosure process that keeps our users safe while giving credit to the researchers who help keep our platforms secure.

Scope

This policy covers technical security vulnerabilities discovered outside OpenAI’s standard internal security processes in OpenAI products that could reasonably compromise the confidentiality, integrity, or availability of OpenAI systems, software we distribute, and data.

AI model safety vulnerabilities which include behavior or content (prompt “jailbreaks,” model hallucinations, policy bypasses, etc) are not within scope of this policy. We encourage reporting AI safety issues through dedicated channels.

To report a vulnerability in our systems, please see our Coordinated vulnerability disclosure policy.


Acknowledgment and communication

Initial response: We will aim to acknowledge receipt of vulnerability reports within 3 business days.

Assessment and triage: Our security team will investigate the report to validate the vulnerability and determine its impact and severity. During this phase, we may contact you to request additional information.

Updates: We will share information about the progress of the investigation when there is noteworthy information to share, as appropriate.

Disclosure: While we are working on a fix, we ask that you do not share or publicize the vulnerability details. OpenAI likewise will treat your report as confidential. We won’t disclose your report outside of OpenAI and relevant partners, consistent with our Outbound Coordinated Vulnerability Disclosure policy. Keeping the vulnerability non-public can help protect our users and systems until a solution or sufficient mitigation is in place. Once a solution or sufficient mitigation is in place, we will work with you to coordinate a disclosure timeline.

CVE ID assignment and tracking

Assigning a CVE ID helps us and the community track the issue across our communications and ensures it’s recognized in global vulnerability databases.

  • Scope for assigning a CVE ID: We will generally assign a CVE ID for security vulnerabilities in software that we distribute, including those that require user action to resolve. We will generally not reserve a CVE ID for server-side issues. We will only assign a CVE ID for security vulnerabilities that are exploitable and that are important security issues. We will not assign a CVE ID for defense-in-depth fixes, misconfigurations, nor informational findings.
  • When we assign the CVE ID: In many cases, we will reserve a CVE ID early in the process, once we’ve confirmed the issue and begun working on a resolution. Once a CVE ID is reserved for the vulnerability, we’ll share that ID with you. The CVE ID remains in a reserved (not yet public) state before public disclosure.
  • OpenAI disclosure: We will maintain a disclosure page with confirmed, public CVEs on OpenAIs Trust Portal at trust.openai.com(opens in a new window). Public CVE ID entries will link to related advisories published by OpenAI.

Researcher recognition and rewards

We appreciate the contributions of security researchers.

  • Public acknowledgment: If requested, we will credit the reporter (by name or alias, and/or affiliation) in any published advisory or release notes, as well as in the CVE disclosure page.
  • Bug bounty rewards: If a report was submitted through our bug bounty program, the reporter may be eligible for a monetary reward, subject to our published rules and discretion.

Thank you for helping keep OpenAI and our users safe. We view the relationship with the security community as a collaboration. By following this policy and working with us in good faith, you’re making a real difference. We’re committed to reciprocating that good faith by being responsive, fair, and appreciative of your efforts. If you have any questions about these guidelines or need clarification on our CNA process, feel free to reach out at disclosure@openai.com. Let’s continue to work together to protect and secure the technology that’s shaping our future!