OpenAI Vulnerability: 48 Days, No Response
10 months ago
- #vulnerability
- #security
- #OpenAI
- A vulnerability was reported to OpenAI on 29 May 2025, allowing unauthorized access to other users' chat responses.
- The issue remains unpatched as of 16 July 2025, with no human follow-up from OpenAI.
- The vulnerability was reported via encrypted email instead of OpenAI's bug bounty platform due to restrictive non-disclosure terms.
- The researcher followed a 45-day disclosure window before making a limited public disclosure.
- Recommendations for vendors include staffing security inboxes with humans, publishing clear response policies, and rewarding researchers.
- Users are advised to exercise caution as the vulnerability has not been fixed.