Cooperative: Good faith, helpful engagements. Third party inbound disclosure processes are respected, subject to exceptions in this policy.

Discreet by default: Initial disclosures are private. Public disclosures usually occur only after explicit vendor or open source maintainer consent, subject to exceptions set out below.

Attribution when relevant: Vulnerabilities will be credited as discovered by OpenAI Security Research - Aardvark. Where applicable, we may attribute discovery to specific individuals, systems, or agents.

There may be exceptions in certain cases. For example, if timelines shift or there is a material difference in views around severity or patching, we may proceed with disclosure to ensure transparency and consistency in our process.