Hacker News new | ask | show | jobs
by boulos 707 days ago
Huh? I just went to OpenAI.com and there is a little "Security" link in the bottom pile that points to https://openai.com/security-and-privacy/ .

Under "Reporting security issues" it points you to a bug bounty page: https://bugcrowd.com/openai with a bunch of explanations.

I'm guessing if you also just send an email to security@openai.com it'll go to someone. Using Bugcrowd just seems like a nice way to also run a bug bounty as part of their normal intake.
2 comments
upwardbound 707 days ago
OpenAI seems to have, unfortunately, outsourced the triaging of bug bounty reports to people who don't seem to understand security well enough to recognize issues. As an example, I've been trying to get OpenAI to fix the fact that "eval()" is used incorrectly in one of their Cookbooks in a place where the correct function would be "json.loads()".

https://cookbook.openai.com/examples/how_to_call_functions_w...

https://news.ycombinator.com/item?id=40474451#40474452

The bug bounty report was closed with a message saying:

    Upon reviewing your report and consulting with the OpenAI team, we have determined that this feature is operating as intended. This means it does not constitute a valid sandbox escape. The Code Interpreter environment is securely sandboxed to support code writing and execution, including shell operations. Any code execution within this environment falls outside the scope of our program ... As you have not demonstrated a valid sandbox escape or RCE, we're closing this submission as Not Applicable.
This shows a fundamental misunderstanding of basic coding, as the eval() I pointed them to is completely unrelated to the Code Interpreter environment. So, the report is incorrectly considered "Not Applicable", without any real further ways to try to get them to fix it. I tried contacting the Cookbook authors directly, but never heard back.
link
CamperBob2 707 days ago
I saw that.

I can't be arsed to create an account on a third party 'bug bounty' site, or to waste time guessing email addresses, or to download a security.txt file I've never heard of. Sorry. Their loss, not mine. If they make it hard for me to help them, they can't be too surprised when I give up trying.

link