OpenAI is opening a new Bio Bug Bounty for GPT-5.5, aimed at a narrow but high-stakes question: can a single jailbreak reliably defeat the model’s biology safety controls across a set of five challenge prompts? The program is not a general public bounty. OpenAI says it is accepting applications from researchers with experience in AI red teaming, security, or biosecurity, then inviting a vetted group into a controlled testing environment.

The reward structure is deliberately focused. OpenAI is offering $25,000 to the first participant who finds a true universal jailbreak that clears all five bio safety questions from a clean chat without triggering moderation. Smaller awards may be granted for partial wins, but the center of gravity is obvious: OpenAI wants to know whether GPT-5.5 has a systemic bypass, not merely a collection of fragile prompt tricks.

The Bounty Targets Universal Failure

The phrase “universal jailbreak” is doing a lot of work here. In normal AI safety discourse, jailbreaks can be scattered and inconsistent: one prompt may work against one model version, one policy boundary, or one oddly phrased request, then collapse when the system is reset. OpenAI’s GPT-5.5 bounty raises the bar by asking for one prompt that works across all five biology safety questions from a clean chat.

That makes this less like a conventional content-policy stress test and more like an attempt to identify whether a single adversarial pattern can cut through the model’s safeguards in a repeatable way. In the context of advanced biology, that repeatability matters. A model that occasionally mishandles a borderline question is one risk category. A model with a reusable bypass pattern for dangerous biological assistance is a much more serious operational concern.

Related Story : OpenAI Launches GPT-5.5 for Real Work Across ChatGPT, Codex, and Enterprise Teams

OpenAI announced the program through its newsroom account on X, and the post frames the bounty as part of a broader effort to strengthen safeguards for advanced AI capabilities in biology.

OpenAI’s announcement on X also makes clear that the company is looking for people with a mix of red-team and biosecurity judgment, not casual prompt hunters.

Access Is Narrow by Design

The model in scope is GPT-5.5 in Codex Desktop only, according to the source material. That is an important constraint because it keeps the test inside a defined product surface rather than turning the bounty into an open-ended hunt across every OpenAI interface.

Applications opened on April 23, 2026, with rolling acceptances, and close on June 22, 2026. Testing begins on April 28, 2026, and runs through July 27, 2026. Selected applicants will be onboarded to the bio bug bounty platform, and both accepted participants and collaborators must have existing ChatGPT accounts.

The application page asks for basic identity, affiliation, and experience details. OpenAI also says all prompts, completions, findings, and communications are covered by NDA, which is unsurprising for a program built around potentially sensitive biosecurity failure modes.

Why Biology Gets a Separate Safety Lane

The existence of a separate bio bounty says something about how frontier AI risk is becoming more specialized. OpenAI already points interested researchers toward its broader Security Bug Bounty and Safety Bug Bounty programs, but biology sits in a category where the consequences of a successful bypass can be different from ordinary policy violations or software bugs.

That is why the program appears to combine three kinds of expertise. AI red-teamers understand prompt behavior and model failure patterns. Security researchers understand reproducibility and adversarial testing discipline. Biosecurity specialists understand why a technically successful answer may be dangerous even if it looks abstract to a general evaluator.

The timing also fits OpenAI’s broader GPT-5.5 push. The company has just positioned GPT-5.5 as a model for sustained, tool-using work across products including ChatGPT and Codex. A stronger model can be more useful, but capability gains also raise the importance of testing whether safety layers still hold under targeted pressure.

A Signal About Frontier Model Governance

The most practical reading of the Bio Bug Bounty is that OpenAI is trying to move some of its most sensitive safety testing into a more formal, rewarded, auditable channel. That does not eliminate the underlying risk, and the NDA structure means the public will not see the full shape of the findings. But it does create a mechanism for qualified outside researchers to test a specific failure mode before it becomes a public incident.

For labs building frontier models, this kind of controlled adversarial program may become less optional over time. The question is no longer only whether a model refuses dangerous requests in ordinary use. It is whether the same defenses survive coordinated pressure from people who know both the model surface and the domain risk.

OpenAI’s bounty gives that question a deadline, a reward, and a defined target. The harder part will be what happens after the submissions arrive: translating adversarial findings into safeguards that work beyond one model version, one product surface, and one private test.

Comments

No comments yet. Be the first to share your thoughts.

or to leave a comment.