InfoSecBulletin Cybersecurity for mankind
It’s been almost half a year since the revolutionary ChatGPT was released. Amazingly, it reached 100 million users in just two months.
ChatGPT has an unimaginable potential to answer things that need a lot of research. Due to its increasingly demanding usage, securing it from threat actors is also essential.
CVSS 10.0 Flaw
Critical flaw in Siemens OZW Web Servers Enable Unauthenticated RCE
Microsoft Patch Tuesday May 2025: 72 flaws, 5 Actively Exploited Zero-Day
OTP glitch disrupted NID services across the country
Google to pay Texas $1.4 billion for location tracking practices
YouTube geo-blocks at least 4 Bangladeshi TV channels in India
Microsoft Patches Four Critical Azure and Power Apps Vulns
Qilin Ransomware topped April 2025 with 45+ data leak disclosures
SonicWall Patches 3 Flaws in SMA 100 Devices
Top Ransomware Actively Attacking Financial Sector: 406 Incidents Disclosed
Critical (CVSS 10) Flaw in Cisco IOS XE WLCs Allows RRA
The Microsoft-backed platform has launched its Bug Bounty Program on BugCrowd. Many Security researchers have already found some vulnerabilities on ChatGPT, and we’re posting them now and then.
However, it is now an excellent opportunity for security professionals to report their bugs and get rewarded for their work.
Their rewards are below as per their Bug bounty program and the VRT (Vulnerability Rating Taxonomy) of Bugcrowd.
- P4 – $200 – $500
- P3 – $500 – $1000
- P2 – $1000 – $2000
- P1 – $2000 – $6500
The program also mentioned that the reward can go up to a maximum of $20,000, making it a huge reward for critical bugs. So far, 14 Vulnerabilities have been reported on the program.
Scope of the Program
The following applications are in scope.
- ChatGPT, ChatGPT Plus, Logins, Subscriptions, OpenAI-created Plugins created by users, and all other functionalities.
Bugs that can be reported include,
- XSS or Stored XSS
- CSRF
- SQLi
- Authentication and Authorization Issues
- Data Exposure
- Payment based bugs
- Cloudflare Bypass to send traffic to unprotected endpoints
- Running queries on private models that are not available to the Public
- Browsing or Code Interpreter Plugins created by OpenAI
- SSRF
- OAuth Flaws
- Credential Security and making plugin calls to unrelated domains
Since OpenAI has access to the entire internet, issues related to Google Workspace, Asana, Trella, Jira, Monday.com, Notion, Hubspot, and many more related issues related to OpenAI can also be reported.
However, there are restrictions to perform additional security testing on these companies.
Subdomains of openai are also included in the scope of the program. The subdomains of OpenAI can be found at
- *.openai.com
Out-of-Scope Vulnerabilities
Though most bugs are eligible for reporting, some of the bugs listed below are out of the program’s scope.
- Issues based on the Model
- Brute Forcing API
- Fuzzing, password spraying unauthorized attacks
- Stolen or Leaked Credentials stemming
- Clickjacking
- SSL/TLS Cipher security issues with PoC
- Server error messages without exploit proof
- Old/EoL browser/ plugins related issues and much more
