We are publishing an Outbound Coordinated Disclosure Policy that we will follow when disclosing vulnerabilities to third-parties.

At OpenAI, we are committed to advancing a secure digital ecosystem. That’s why we’re introducing our Outbound Coordinated Disclosure Policy, which lays out how we responsibly report security issues we discover in third-party software. We're doing this now because we believe coordinated vulnerability disclosure will become a necessary practice as AI systems become increasingly capable of finding and patching security vulnerabilities. Systems developed by OpenAI have already uncovered zero-day vulnerabilities in third-party and open-source software, and we are taking this proactive step in anticipation of future discoveries.

Whether surfaced through ongoing research, targeted audits of open source code we leverage, or automated analysis using AI tools, our goal is to report vulnerabilities in a way that’s cooperative, respectful, and helpful to the broader ecosystem.