OpenAI Raises Bio Bounty to $50,000 for Universal Jailbreaks - TechRepublic

OpenAI Raises Bio Bounty to $50,000 for Universal Jailbreaks

OpenAI Raises Bio Bounty to $50,000 for Universal Jailbreaks

OpenAI’s latest bounty raises the stakes for external testing of AI biosecurity safeguards. Image: Generated via ChatGPT

OpenAI has doubled its top bio bounty to $50,000 for researchers who can develop a universal jailbreak against its biological safety challenge. The ongoing private program begins with GPT-5.6 and keeps GPT-5.5 in scope through July 27, 2026.

Jul 10, 2026
We may earn from vendors via affiliate links or sponsorships. This might affect product placement on our site, but not the content of our reviews. See our Terms of Use for details.

OpenAI is doubling the top reward for researchers who can find a reusable way to break through its biological safety controls. The company announced July 9 that accepted researchers may earn up to $50,000 for a universal jailbreak that defeats a predefined biosafety challenge.

The new OpenAI Bio Bounty Program initially covers GPT-5.6 while keeping GPT-5.5 in scope through July 27, 2026. The program gives outside specialists an ongoing way to test safeguards that enterprises may rely on when deploying advanced AI models in sensitive research environments.

The $50,000 challenge has a narrow target

The OpenAI Bio Bounty Program targets reusable jailbreaks that defeat the company’s complete predefined challenge.

The maximum payment increased from $25,000 to $50,000 for qualifying GPT-5.5 and GPT-5.6 submissions. OpenAI may also issue smaller awards for partial submissions.

GPT-5.5 testing ends July 27, after which only GPT-5.6 will remain in scope. The cutoff is not a model-retirement or enterprise migration deadline. The change comes as organizations review the access, safeguards, and governance questions surrounding GPT-5.6.

The original GPT-5.5 bounty opened April 23, 2026. Researchers had to use one prompt to answer five biosafety questions from a clean Codex Desktop session without triggering moderation. OpenAI has not confirmed that GPT-5.6 uses the same questions or testing process.

Participation remains restricted. Applicants provide their name, affiliation, and experience through a rolling process. Those selected must have a ChatGPT account, sign a nondisclosure agreement, and use OpenAI’s bounty platform. Previous applicants do not need to reapply.

The original terms place prompts, model completions, findings, and communications under an NDA, limiting what researchers may disclose. OpenAI has not said whether it will publish aggregate results.

Private testing leaves open questions for enterprise buyers

OpenAI’s GPT-5.5 system card says sustained expert jailbreaking produced model-level biological safety failures during predeployment testing. Its safety classifier detected the high-priority attempts, and the final safeguard stack blocked the verified high-severity jailbreaks identified before launch.

In a separate cyber test, the UK AI Security Institute created a universal jailbreak in six hours that produced policy-violating responses across OpenAI’s malicious-query set, including multi-turn agentic tests. OpenAI updated its safeguards, but a configuration problem prevented the institute from verifying the final version.

A related threat, indirect prompt injection against production AI systems, uses hostile content to manipulate an agent’s legitimate access. The cyber result does not establish an equivalent biological vulnerability, but it shows the value of testing repeatable attacks.

CISOs and AI governance teams should treat vendor safeguards as one layer of protection in sensitive research. As AI systems gain access to files, email, code, and business applications, least-privilege controls and audit trails become more important alongside monitoring, approvals, and human review.

OpenAI has not said whether it will disclose successful submissions or related mitigations. Public reporting and future changes in model scope will shape outside scrutiny of the program.

Read more: OpenAI’s expanded ChatGPT Lockdown Mode for sensitive work limits connected tools to reduce prompt-injection and data-leakage risks, although it cannot eliminate them.