OpenAI Launches GPT-5.5 Bio Bug Bounty Program

OpenAI has opened a restricted Bio Bug Bounty for GPT-5.5, inviting vetted AI red-teamers, cybersecurity researchers, and biosecurity experts to attempt to find a single "universal jailbreak" that bypasses the model's safeguards and answers a five-question bio-safety challenge. The program offers a top prize of $25,000 to the first successful universal jailbreak, with smaller discretionary awards for partial findings. Applications opened on April 23, 2026 and close June 22, 2026; the active testing window runs April 28 to July 27, 2026. Access is limited, participants sign NDAs, and testing is restricted to Codex Desktop.

The core task is to craft one prompt that, from a clean chat session, circumvents moderation and guardrails to answer the five bio-safety questions. OpenAI scopes the bounty specifically to GPT-5.5 running in Codex Desktop, and it treats submissions, prompts, and outputs as confidential. The public GPT-5.5 system card documents targeted predeployment safety evaluations and a Preparedness Framework that include offline red-teaming for bio and cybersecurity risks. Key program parameters include:

• •Model in scope: GPT-5.5 in Codex Desktop only.
• •Challenge: one universal jailbreaking prompt to clear all five bio-safety questions from a clean chat without triggering moderation.
• •Rewards: $25,000 for the first true universal jailbreak; discretionary awards for partial wins.
• •Timeline: applications April 23 to June 22, 2026; testing April 28 to July 27, 2026.
• •Access and disclosure: invite/application-only, vetting required, NDA covers all materials.

This bounty is a defensive move addressing a rising operational risk: as foundation models gain deeper domain competence, the attack surface for malicious, dual-use biological guidance grows. By asking external experts to find a universal jailbreak rather than point vulnerabilities, OpenAI is testing for broadly reusable prompt attacks that scale beyond single-session exploits. That matters because a universal prompt can be embedded into automation, packaged into tooling, or redistributed, increasing downstream abuse risk. The selection of Codex Desktop as the test environment signals attention to tool-enabled workflows where code, tool use, and stepwise planning amplify potential harms.

OpenAI pairs this bounty with its GPT-5.5 system card and its Preparedness Framework, which indicates the company ran internal offline red-teaming and evaluation before release. The external bounty complements those efforts by bringing adversarial creativity from the broader security and biosecurity community, under controlled conditions. The NDA and invite model balance intelligence gathering with preventing premature disclosure of exploits or sensitive biological information.

Security teams, red-teamers, and model operators should treat this as a case study in operationalizing safe testing. Designing defenses requires thinking about reusable attack vectors, not only single-turn prompt injections. Monitoring strategies should look for patterns consistent with universal prompts, such as highly templated sequences or obfuscated instructions. For researchers, the bounty signals that access-controlled, NDA-backed vulnerability research pathways are viable models for responsible disclosure when biological risk is involved.

Will the program find any universal jailbreaks, and if so, how will OpenAI remediate and publish learnings without revealing exploit details? Watch for follow-up changes to Codex Desktop deployment settings, moderation heuristics, or broader policy shifts informed by bounty outcomes. Also watch whether other platform operators adopt comparable invite-only bounties for domain-specific dual-use risks.

The GPT-5.5 Bio Bug Bounty is a targeted, high-friction approach to discover and mitigate scalable biological misuse vectors. It is meaningful for practitioners because it raises the bar on what constitutes a threat and shows how defensive programs can be structured when outputs could materially affect public safety.