OpenAI's safety bug bounty is an agent-risk bounty

OpenAI launched a public Safety Bug Bounty on March 25. The least interesting way to describe that is "OpenAI has a new bug bounty." It already had a security program. The real news is that OpenAI is now willing to pay for a different class of failure.

In the launch post, the company says the new program complements its Security Bug Bounty by accepting issues that create meaningful abuse and safety risk even when they do not qualify as conventional security vulnerabilities. That is a big shift in plain English. OpenAI is starting to treat some model-mediated failures as bounty-worthy bugs, especially when agents can be tricked into taking harmful actions, leaking data, or abusing account and platform systems.

That makes this less a generic security announcement than an agent-risk announcement. It also fits the pattern we outlined in our earlier piece on OpenAI's agent stack as a distribution play. Once a company turns models into browsing, tool-using, session-carrying products, the important failures stop living only in the model output. They start living in the workflow around the model.

The scope is the story

The scope list tells you exactly what OpenAI thinks is now worth paying for. The first item is the giveaway: third-party prompt injection and data exfiltration, where attacker-controlled text can reliably hijack a victim's agent, including Browser, ChatGPT Agent, and similar products, into taking a harmful action or leaking sensitive information. OpenAI says the behavior has to be reproducible at least 50 percent of the time. That is not framed as a weird model quirk. It is framed as a reportable abuse path.

From there, the program keeps widening the aperture. OpenAI also lists agentic products performing disallowed actions on OpenAI's own website at scale, other potentially harmful agent actions with plausible and material harm, proprietary information leakage, and account or platform integrity abuse such as bypassing anti-automation controls, manipulating trust signals, or evading suspensions and bans.

A short version of the bounty map looks like this:

• prompt injection that turns into harmful action or sensitive-data leakage
• MCP and tool-mediated agent misuse, as long as third-party terms are respected during testing
• proprietary information exposure, including reasoning-related leaks
• account and platform integrity abuse around trust, automation, and restrictions

That is a revealing bundle. It sits halfway between classic appsec and classic model-safety reporting. The common thread is not "the model said something bad." The common thread is "the model-connected product can now be pushed into doing something risky in the world."

Why this matters for agents and MCP

If this all sounds familiar, it is because the broader agent ecosystem has been moving in the same direction for months. In our WordPress MCP write-capabilities piece, the point was that MCP stops being harmless context plumbing the moment agents can move from reading to acting. Once a model can browse a page, hold a session, inspect a tool schema, and then take action, prompt injection is no longer a parlor trick. It is part of an attack chain.

That is also why agent vendors have started building real control surfaces around this problem. NVIDIA OpenShell is basically a bet that policy, sandboxing, and routing need to live outside the agent's reach. DefenseClaw makes a similar point from the security-stack side: the moment agent power gets real, the guardrails stop being optional product garnish.

OpenAI's new bounty sits squarely inside that shift. It is a public admission that some of the most important failures in agent systems now come from boundary crossing: a hostile document, a poisoned page, a tool call with too much privilege, a trust signal that can be gamed, or a session that can be steered into leakage. A chatbot saying something foolish is embarrassing. A browsing agent doing it with access to your live session is a security event with better branding.

What OpenAI is leaving out on purpose

The exclusions matter almost as much as the scope. OpenAI says jailbreaks are out of scope for this program. It also says general content-policy bypasses without demonstrable safety or abuse impact are out. If the model becomes rude or returns information that is already easy to find through a search engine, that does not qualify.

That carve-out is doing real work. OpenAI is drawing a line between broad model-behavior complaints and narrower failure modes that create a direct path to harm and a concrete fix. The company even points researchers toward separate harm-specific campaigns, such as its earlier bio bug bounty, when the issue is a scoped jailbreak problem rather than a public agent-abuse defect.

In other words, OpenAI is not saying every strange output is now bounty material. It is saying the cases worth paying for are the ones where an agent can be manipulated into leaking, acting, or helping someone break the surrounding product boundary.

That is useful discipline. It keeps the program from turning into an expensive inbox for screenshots of chat weirdness, and it gives researchers a cleaner target. If you can show reproducible prompt injection, data exfiltration, harmful agent behavior, proprietary leakage, or account-integrity abuse, you are in the conversation. If you have a generic jailbreak with no real-world path to harm, you are not.

Why this matters beyond OpenAI

The bigger signal is not just about one company. It is about what the market is starting to recognize as a defect class.

For years, prompt injection sat in an awkward category: obviously bad, hard to reason about, and often waved away as an inevitable limitation of language models. That posture becomes much harder to defend once the model has tools, memory, browsing, account state, and MCP-flavored access to external systems. At that point, the failure is no longer academic. It has side effects.

OpenAI's program does not solve that problem. What it does do is attach money, triage, and official language to it. That matters. Bug bounties are one of the cleaner ways a platform tells the outside world, "yes, this is a real bug class, and yes, we expect researchers to go find it." If more agent vendors follow, prompt injection and tool abuse will look less like a fuzzy red-team talking point and more like ordinary engineering debt with a payout schedule.

That is why this March 25 launch is worth covering. Not because OpenAI added another form. Because it quietly answered a more interesting question: what kinds of AI failure now count as bugs serious enough to pay for? On this showing, the answer is increasingly simple. If an agent can be tricked into leaking, acting, or crossing a boundary it should not cross, OpenAI wants to hear about it.