OpenAI has announced a substantial enhancement to its bug bounty program, raising the maximum reward from $20,000 to $100,000 — a five-fold increase. The company simultaneously expanded its Cybersecurity Grant Program and introduced API credit micro-grants for security researchers, signaling a broader shift toward proactive collaboration with the security community.
Expanded Bug Bounty Rewards and Scope
The increased payout ceiling targets high-impact vulnerabilities in OpenAI’s infrastructure and AI systems. OpenAI has also introduced a temporary double-reward initiative specifically for IDOR (Insecure Direct Object Reference) vulnerabilities, offering up to $13,000 per confirmed finding through April 30. IDOR flaws can expose private user data by allowing unauthorized access to resources belonging to other accounts — a category of particular concern given the volume of sensitive interactions stored in ChatGPT and API systems.
Targeted Security Research Incentives
The expanded program takes a multi-layered approach combining higher base rewards, time-limited bonuses for specific vulnerability classes, and direct research support. The company has implemented:
- A $100,000 maximum reward for critical vulnerabilities
- Double rewards for IDOR vulnerability reports through April 30
- Regular penetration testing engagements alongside the external bug bounty
- API credit micro-grants enabling researchers to prototype and test attack scenarios against OpenAI’s systems
Cybersecurity Grant Program Expansion
OpenAI’s Cybersecurity Grant Program, launched in 2023, has already funded 28 research initiatives. The expanded program now covers:
- Software remediation and patch management research
- AI model privacy protection mechanisms
- Advanced threat detection and response systems
- Security infrastructure integration for AI deployments
- Defense against sophisticated attack vectors targeting large language models
Who Is Affected and Why This Matters
The expanded program is particularly relevant to:
- Security researchers who work on AI system vulnerabilities, prompt injection, and model manipulation
- Enterprises and developers using the OpenAI API who benefit from improved platform security
- ChatGPT users whose account data and conversation history are protected by the vulnerabilities being discovered and fixed
- Organizations evaluating OpenAI products for use in regulated industries, where documented security practices are a compliance requirement
The 2023 ChatGPT data breach — where a Redis library vulnerability exposed ChatGPT Plus subscriber payment information — served as a direct catalyst for these security investments.
What Security Researchers Should Do Now
Researchers interested in participating in OpenAI’s expanded security program should:
- Review the current scope and reward tiers on OpenAI’s official bug bounty page (hosted on Bugcrowd)
- Prioritize IDOR vulnerability research before the double-reward period expires on April 30
- Apply for API credit micro-grants through OpenAI’s security research program to fund proof-of-concept work
- Submit proposals to the Cybersecurity Grant Program for funded research on AI-specific threat categories
- Follow responsible disclosure practices — OpenAI requires coordinated disclosure and does not permit public release before a fix is confirmed
