At OpenAI, we are committed to advancing a secure digital ecosystem. That’s why we’re introducing our Outbound Coordinated Disclosure Policy, which lays out how we responsibly report security issues we discover in third-party software. We're doing this now because we believe coordinated vulnerability disclosure will become a necessary practice as AI systems become increasingly capable of finding and patching security vulnerabilities. Systems developed by OpenAI have already uncovered zero-day vulnerabilities in third-party and open-source software, and we are taking this proactive step in anticipation of future discoveries.

Whether surfaced through ongoing research, targeted audits of open source code we leverage, or automated analysis using AI tools, our goal is to report vulnerabilities in a way that’s cooperative, respectful, and helpful to the broader ecosystem.

This policy lays out how we disclose issues found in open-source and commercial software through automated and manual code review, as well as discoveries arising from internal usage of third-party software and systems.

We take an intentionally developer-friendly stance on disclosure timelines and have elected to leave timelines open-ended by default. This approach reflects the evolving nature of vulnerability discovery, particularly as AI systems become more effective at reasoning about code, its strengths and weaknesses, and generating reliable patches to increase code security. We anticipate our models detecting a greater number of bugs of increasing complexity, which may require deeper collaboration and more time to resolve sustainably. We’ll continue working with software maintainers to develop disclosure norms that balance urgency with long-term resilience. We still reserve the right to disclose when we determine there is, for example, public interest in doing so.