- OpenAI launched a Bio Bug Bounty for GPT-5.5 on April 23, 2026, offering $25,000 to the first researcher to find a universal biosafety jailbreak.
- The challenge requires a single prompt to bypass all five of OpenAI’s undisclosed bio safety questions in a clean session without triggering moderation.
- Testing is limited to GPT-5.5 running in Codex Desktop only; all findings are bound by NDA and will not be publicly disclosed.
- Applications close June 22, 2026, with testing running from April 28 through July 27, 2026.
What Happened
OpenAI on April 23, 2026 launched a dedicated Bio Bug Bounty program for GPT-5.5, offering up to $25,000 to the first external researcher who can demonstrate a universal jailbreak against the model’s bio safety guardrails — the same day the company published the separately documented GPT-5.5 System Card. The program announcement, published on OpenAI’s safety blog without a named author, invites vetted professionals with backgrounds in AI red-teaming, security, or biosecurity to probe the model’s defenses. Applications opened the same day with rolling acceptances.
The program is structured as an adversarial test specifically of bio-related harmful output — not a general security audit. OpenAI stated it will directly invite a vetted list of trusted bio red-teamers while also reviewing new applications submitted through its dedicated program portal.
Why It Matters
A paid external red-teaming program scoped exclusively to biosecurity in a single model version extends beyond OpenAI’s existing broad-surface programs: its Safety Bug Bounty and Security Bug Bounty, both hosted on Bugcrowd, do not offer category-specific rewards of this size or focus. The targeted bio scope reflects longstanding concern among frontier AI developers that large language models could provide meaningful uplift toward dangerous biological knowledge, including pathogen synthesis or circumvention of biosafety lab protocols — a risk category that multiple AI safety frameworks, including OpenAI’s own preparedness evaluations, have flagged as warranting elevated scrutiny.
GPT-5.5 is the latest in a series of rapid model releases that also includes GPT-5.4, GPT-5.3 Instant, and GPT-5.3-Codex. The decision to scope the bio bounty to GPT-5.5 in Codex Desktop specifically — rather than the general ChatGPT interface — suggests OpenAI’s safety team assessed distinct bio risk vectors tied to the model’s advanced code and reasoning capabilities in that environment.
Technical Details
The program defines success with precision: a single “universal jailbreaking prompt” that causes GPT-5.5 to answer all five of OpenAI’s bio safety challenge questions “from a clean chat without prompting moderation,” as the announcement states. The five questions themselves are not disclosed, which prevents participants from reverse-engineering defenses before testing opens April 28, 2026. The model in scope is GPT-5.5 in Codex Desktop only — GPT-5.5 accessed through the ChatGPT web interface or API is explicitly outside the program’s bounds.
Partial wins — prompts that clear some but not all five questions — may earn smaller discretionary awards, though OpenAI has not published thresholds or amounts for partial results. All prompts, model completions, findings, and communications between participants and OpenAI are subject to NDA, which means any confirmed vulnerabilities will not enter the public record. This mirrors responsible-disclosure norms in conventional security research but limits independent verification of OpenAI’s subsequent remediation.
Who’s Affected
The program is open to AI security researchers, professional red-teamers, and biosecurity professionals who hold existing ChatGPT accounts and clear OpenAI’s undisclosed vetting process. Accepted applicants will be onboarded to a dedicated bio bug bounty platform and must sign an NDA prior to testing. Developers and enterprises deploying GPT-5.5 via the API are outside the scope of this specific program, though any confirmed universal jailbreak would carry implications for bio-adjacent use cases beyond the Codex Desktop environment.
Organizations with active biosecurity or AI safety mandates — including academic research institutions and government-adjacent labs — are likely candidates for direct invitations given OpenAI’s reference to a pre-existing vetted network of bio red-teamers.
What’s Next
The application window closes June 22, 2026 and the testing period runs through July 27, 2026. OpenAI has not disclosed what remediation steps would follow a confirmed universal jailbreak, nor whether findings will be incorporated into a system card revision or a subsequent model update. Researchers interested in broader safety and security testing outside the bio bounty scope can apply to OpenAI’s existing programs via Bugcrowd.
