OpenAI puts GPT-5.5 biology safeguards to a live stress test with a new bug bounty

A selective, high-trust process

The program is not fully open. According to the supplied source, OpenAI will invite a vetted list of trusted bio red-teamers and review new applications from researchers with experience in AI red teaming, security or biosecurity. Accepted participants and collaborators must have existing ChatGPT accounts and sign a nondisclosure agreement. All prompts, completions, findings and communications are covered by NDA.

That controlled-access design reflects the sensitivity of the subject matter. Biology-related misuse research occupies an unusual position: the systems need to be stress-tested, but broad public release of adversarial methods could create additional risk. The NDA requirement suggests OpenAI is trying to balance external scrutiny with operational containment.

The setup also underlines a larger shift in frontier AI governance. High-risk capability domains are increasingly being handled through trusted-access models rather than purely open competitions. That approach limits outside visibility, but it can also enable more realistic adversarial testing than a fully public challenge would allow.

What the program says about frontier-model safety

The GPT-5.5 Bio Bug Bounty arrives as evidence that AI companies are moving toward more specialized safety validation for advanced systems. General-purpose red teaming remains important, but the highest-risk areas increasingly require domain-specific expertise. Biology is an especially important case because the line between legitimate scientific assistance and potentially dangerous information can be difficult to manage at scale.

By narrowing the challenge to universal jailbreaks, OpenAI is effectively asking a hard question about robustness: can its safeguards withstand a determined, expert adversary using prompt-based methods alone? That is more demanding than asking whether ordinary users can occasionally confuse the model. It is a test of whether the defenses fail in a repeatable, scalable way.

The company’s wording also suggests this program is part of a broader architecture of bug bounties and safety work. The source text points participants toward OpenAI’s separate safety and security bounty programs, which indicates a layered model of evaluation rather than a one-off exercise.

The limits of what this reveals

At the same time, the announcement leaves some things unclear by design. Because the challenge is covered by NDA, outside observers will not automatically see the prompts tested, the completions produced or the exact character of any successful jailbreaks. That reduces transparency, though it may be unavoidable in a domain where publication itself could create risk.

The focus on Codex Desktop also narrows the scope. A model’s safety posture can vary across products, interfaces and deployment constraints. Success or failure in one environment does not necessarily describe every environment. Still, as the supplied source makes clear, the company is explicitly putting GPT-5.5’s biology safeguards under adversarial pressure in at least one real product context.

A practical turn in AI safety

The larger significance of the bug bounty is that it treats model safety as something that must be tested operationally, not just described in system cards or policy statements. In that sense, the program is less about marketing a safeguard than about inviting expert attempts to break it under rules that are narrow enough to be meaningful.

Whether OpenAI’s defenses hold up is a separate question. What is already clear is that the company sees biology-related misuse as important enough to warrant paid, targeted external attack. That is a notable development in its own right. As frontier AI systems become more capable, the credibility of safety claims will depend increasingly on adversarial testing programs like this one, where the standard is not whether a policy exists, but whether it survives contact with people trying to defeat it.

This article is based on reporting by OpenAI. Read the original article.