Outbound coordinated vulnerability disclosure policy

Source: OpenAI Date: 2025-09-22 URL: https://openai.com/policies/outbound-coordinated-disclosure-policy

Summary

OpenAI’s published policy for how it discloses vulnerabilities it discovers in third-party systems — the “outbound” direction of CVD, distinct from OpenAI’s bug bounty (inbound). The policy commits OpenAI to notifying affected vendors when its researchers or models discover security flaws, with timelines and escalation paths similar to standard responsible disclosure frameworks.

Implications

Safety/policy thread. Publishing an outbound CVD policy signals that OpenAI’s models are being used (or are capable of being used) to discover real security vulnerabilities — otherwise the policy would be unnecessary. This is infrastructure for the cybersecurity grant program and the “trusted access for cyber defense” product line. It also positions OpenAI as a responsible actor in the security community, ahead of regulatory scrutiny on AI-assisted vulnerability discovery.