(Note; I also work for OpenAI Security — though I’ve not worked on our bounty program for some time. These just my thoughts and experiences.)

I believe the author was referring to the standard BugCrowd terms, which as far as I know are themselves fairly common across the various platforms. In my experience we are happy for researchers to publish their work within the normal guidelines you’d expect from a bounty program — it’s something I’ve worked with researchers on without incident.

▲

winstonhowes 13 hours ago | parent [-]

100%. We want to ensure we can fix real security issues responsibly before details are published. In practice, if a researcher asks to disclose after we've addressed the issue, we're happy for them to publish.

▲

DANmode 8 hours ago | parent [-]

In practice, it sounds like you guys didn't accept this dude's valid vuln because he didn't register and sign his life away.

▲

tptacek 4 hours ago | parent [-]

They just stated it was all just model hallucination, and was not in fact a valid vuln.

▲

DANmode 2 hours ago | parent [-]

shrugs If you're convinced, I'm convinced!

	▲	tptacek 2 hours ago \| parent [-]
		I'm convinced.