OpenAI is doing something that was unthinkable just a few years ago in the AI industry: paying outside researchers to break its own model’s safety filters.
On April 23, 2026, the company launched a Bio Bug Bounty program targeting GPT-5.5, its most capable deployed model. The prize: $25,000 to the first researcher who finds a universal jailbreak capable of bypassing all five of the model’s biosafety challenge questions. Smaller discretionary awards may be issued for partial wins.
What the Bounty Actually Tests
The program is narrow by design. The attack surface is GPT-5.5 running inside Codex Desktop only — not the broader ChatGPT interface — and success is defined precisely: one universal prompt that clears all five bio safety questions from a clean chat session without triggering moderation.
This isn’t a generic red-teaming exercise. Biological risk is among the highest-stakes categories in AI safety. Dual-use knowledge about pathogens, synthesis routes, or weaponization techniques has the potential to cause mass casualties if extracted from frontier models. OpenAI’s decision to put a dollar amount on that attack surface is a tacit acknowledgment that GPT-5.5 sits at a level of capability where such risks are taken seriously.
The testing window runs from April 28 to July 27, 2026. Applications are accepted on a rolling basis through June 22, 2026, and all findings are covered by NDA. OpenAI says it will extend direct invitations to a vetted list of trusted bio red-teamers while reviewing new applications.
Why Biosafety, and Why Now?
The timing is not coincidental. GPT-5.5 launched earlier this month as OpenAI’s most powerful publicly available model, with agentic capabilities — planning, execution, and self-correction — that significantly expand what a determined bad actor could accomplish with AI assistance.
Regulatory pressure has also accelerated the need for public accountability mechanisms. The EU AI Act’s high-risk registration deadline falls in May 2026, and several US states are advancing biosecurity-related AI legislation. A structured, externally validated safety program provides OpenAI with evidence of proactive risk management.
By framing this as a bug bounty — borrowed directly from cybersecurity practice — OpenAI is also making an epistemological argument: that adversarial testing by independent researchers surfaces real vulnerabilities faster than internal red-teaming alone. Security researchers have validated this model for software for decades. The AI safety field is only beginning to catch up.
What Success Would Mean — in Either Direction
If no universal jailbreak is found by July 27, OpenAI gains meaningful (if imperfect) evidence that GPT-5.5’s biosafety controls hold against motivated expert attackers. If a jailbreak is found, the company gets a concrete vulnerability to fix before it can be exploited in the wild — and the researcher gets $25,000.
Neither outcome is bad for OpenAI. The program’s real value may lie less in the specific findings and more in establishing a norm: that frontier AI companies should accept, and fund, structured external challenges to their safety systems.
For the broader AI industry, the question is whether this model will be adopted more widely. With models from Google DeepMind, Anthropic, and Meta’s Llama family reaching comparable capability levels, biosafety red-teaming may become an expected baseline rather than a competitive differentiator.
Applications for the GPT-5.5 Bio Bug Bounty are open at OpenAI’s SmApply portal through June 22, 2026. Applicants must have an existing ChatGPT account and agree to an NDA before testing begins.
Discussion
Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.