top | item 40894278

(no title)

> It's hard enough to report issues to OpenAI.

Not at all. OpenAI follows basic accepted standards for security reporting. This is like complaining that you can't find if a website doesn't want specific directories crawled because you don't know about the existence of a robots.txt.

Specifically, OpenAI has a security.txt [0], which is:

> an accepted standard for website security information that allows security researchers to report security vulnerabilities easily [1]

Whenever attempting to find where to report a security issue, the easiest thing to do is always check if the website has a security.txt file.

[0] https://openai.com/security.txt

[1] https://en.wikipedia.org/wiki/Security.txt

Here's their security.txt:

  -----BEGIN PGP SIGNED MESSAGE-----
  Hash: SHA512
  
  #
  #           .d88888b.             
  #         .8P"     "9bd888b.      
  #        .8P     .d8P"   `"988.   
  #     .8888   .d8P"    ,     98.  
  #   .8P" 88   8"    .d98b.    88  
  #  .8P   88   8 .d8P"   "98b. 88  
  #  88    88   8P"  `"8b.    "98.  
  #  88.   88   8       8"8b.    88 
  #   88    "98.8       8   88   "88
  #    `8b.    "98.,  .d8   88    88
  #    88 "98b.   .d8P" 8   88   d8"
  #    88    "98bP"    .8   88 .d8" 
  #    "8b     `    .d8P"   8888"   
  #     "88b.,   .d8P"     d8"      
  #       "9888P98b.     .d8"       
  #               "988888P"         
  #
  Contact: https://bugcrowd.com/openai
  Acknowledgments: https://bugcrowd.com/openai/hall-of-fame
  Policy: https://openai.com/policies/coordinated-vulnerability-disclosure-policy
  Hiring: https://openai.com/careers/search?c=security
  Canonical: https://openai.com/.well-known/security.txt
  Encryption: https://cdn.openai.com/security/disclosure.asc.pub
  
  # You may also email us directly.
  Contact: mailto:disclosure@openai.com
  -----BEGIN PGP SIGNATURE-----
  
  iHUEARYKAB0WIQQ5fYPd6Hi19rZDZ+kKj1HZ7OnINQUCZbiKWgAKCRAKj1HZ7OnI
  NS9+AQCTx4vlrCp+Urd1fa/lAQ3dcV8VNHOxA4JnxD0TH2nxwQEAuqoxenxPZWeD
  +IsSikn4em/LEheOeAakGDzZedcu1QE=
  =rMRk
  -----END PGP SIGNATURE-----

discuss

upwardbound|1 year ago

The email address they have listed there is defunct, and they haven't bothered to update this security.txt page. When you try emailing disclosure@openai.com, you get an auto-reply saying:

    Hello and thank you for reaching out to OpenAI. Our vulnerability disclosure program has migrated to OpenAI's bug bounty program, and this mailbox is no longer monitored. Please use the "submit report" functionality available through our bug bounty platform to inform us of security concerns, or reach out to support@openai.com for any non-security-related inquiries.

    Thank you for your help in securing OpenAI!

    Bug Bounty Program: https://bugcrowd.com/openai

CamperBob2|1 year ago

LOL.

... that was a joke, right? So only people who have heard of the security.txt convention are expected to find this information easily when they need to report a bug?

ballenf|1 year ago

This came up with my first search "openai security": https://trust.openai.com

At the bottom is a link to report an issue. Seems like there are multiple ways to report issues. And they come with the potential for bug bounties.

And so many companies don't follow the security.txt standard that it puts OpenAI well ahead of most companies.