Monday, May 12, 2025
HomeBug BountyOpenAI Launched Bug Bounty Program - Rewards up to $20,000

OpenAI Launched Bug Bounty Program – Rewards up to $20,000

Published on

SIEM as a Service

Follow Us on Google News

It’s been almost half a year since the revolutionary ChatGPT was released. Amazingly, it reached 100 million users in just two months.

ChatGPT has an unimaginable potential to answer things that need a lot of research. Due to its increasingly demanding usage, securing it from threat actors is also essential. 

The Microsoft-backed platform has launched its Bug Bounty Program on BugCrowd. Many Security researchers have already found some vulnerabilities on ChatGPT, and we’re posting them now and then.

- Advertisement - Google News

However, it is now an excellent opportunity for security professionals to report their bugs and get rewarded for their work.

Their rewards are below as per their Bug bounty program and the VRT (Vulnerability Rating Taxonomy) of Bugcrowd.

  • P4 – $200 – $500
  • P3 – $500 – $1000
  • P2 – $1000 – $2000
  • P1 – $2000 – $6500

The program also mentioned that the reward can go up to a maximum of $20,000, making it a huge reward for critical bugs. So far, 14 Vulnerabilities have been reported on the program.

Scope of the Program

The following applications are in scope.

  • ChatGPT, ChatGPT Plus, Logins, Subscriptions, OpenAI-created Plugins created by users, and all other functionalities.

Bugs that can be reported include,

  • XSS or Stored XSS
  • CSRF
  • SQLi
  • Authentication and Authorization Issues
  • Data Exposure
  • Payment based bugs
  • Cloudflare Bypass to send traffic to unprotected endpoints
  • Running queries on private models that are not available to the Public
  • Browsing or Code Interpreter Plugins created by OpenAI
  • SSRF
  • OAuth Flaws
  • Credential Security and making plugin calls to unrelated domains

Since OpenAI has access to the entire internet, issues related to Google Workspace, Asana, Trella, Jira, Monday.com, Notion, Hubspot, and many more related issues related to OpenAI can also be reported.

However, there are restrictions to perform additional security testing on these companies.

Subdomains of openai are also included in the scope of the program. The subdomains of OpenAI can be found at 

  • *.openai.com

Out-of-Scope Vulnerabilities

Though most bugs are eligible for reporting, some of the bugs listed below are out of the program’s scope.

  • Issues based on the Model
  • Brute Forcing API
  • Fuzzing, password spraying unauthorized attacks
  • Stolen or Leaked Credentials stemming
  • Clickjacking
  • SSL/TLS Cipher security issues with PoC
  • Server error messages without exploit proof
  • Old/EoL browser/ plugins related issues and much more

For more information, refer to the Out-of-Scope topic on BugCrowd.

Struggling to Apply The Security Patch in Your System? – 

Related Read:

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Open Source Linux Firewall IPFire 2.29 – Core Update 194 Released: What’s New!

IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core...

Threat Actors Leverage DDoS Attacks as Smokescreens for Data Theft

Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded...

20-Year-Old Proxy Botnet Network Dismantled After Exploiting 1,000 Unpatched Devices Each Week

A 20-year-old criminal proxy network has been disrupted through a joint operation involving Lumen’s...

“PupkinStealer” – .NET Malware Steals Browser Data and Exfiltrates via Telegram

A new information-stealing malware dubbed “PupkinStealer” has emerged as a significant threat to individuals...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Open Source Linux Firewall IPFire 2.29 – Core Update 194 Released: What’s New!

IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core...

Threat Actors Leverage DDoS Attacks as Smokescreens for Data Theft

Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded...

20-Year-Old Proxy Botnet Network Dismantled After Exploiting 1,000 Unpatched Devices Each Week

A 20-year-old criminal proxy network has been disrupted through a joint operation involving Lumen’s...