OpenAI Is Paying Researchers to Break GPT-5.5's Biosafety Guardrails

OpenAI is offering $25,000 to anyone who can break GPT-5.5's biosafety filters with a single prompt[¹] — a "universal jailbreak" that bypasses five consecutive safety checks in one shot. The program, framed as a Bio Bug Bounty, positions red-teaming as the release strategy rather than a quality gate before one. In some corners of the AI safety community, that framing is being read as an admission: the company isn't certain its own guardrails hold, and it's outsourcing the verification to the public for less than the cost of a junior engineer's monthly salary.

The reaction among people who follow biosafety closely has been pointed rather than celebratory. The dominant concern isn't that the bounty exists — red-teaming is widely considered good practice — but what its public structure implies about confidence in the system being tested. One observer on Bluesky noted that AI safety has made little progress on the fundamental problem even as capabilities have accelerated, and that the challenge of running powerful cognition without catastrophic risk "is not significantly closer to being solved than it was a few years ago."[²] Paying outsiders to stress-test a deployed model's bioweapon filters sits awkwardly against that backdrop. It suggests the hard problem is being managed rather than solved — bounded by bounties and red teams rather than resolved by anything approaching a technical guarantee.

What makes the bounty structurally strange is its specificity. This isn't a general vulnerability disclosure program — it targets biosafety in particular, which implies OpenAI considers biological misuse a live enough risk to warrant structured external probing, while simultaneously having shipped the model. That gap between risk acknowledgment and deployment confidence is exactly the gap the safety community keeps circling. The argument from biosafety skeptics — that intelligence itself is being treated as a munition, with all the horrifying regulatory implications that follow[³] — gains uncomfortable traction when a lab is literally paying people to find the ammunition locker's weak points after the doors are open.

The bounty will probably surface something. Red-team programs usually do, which is either a vindication of the method or an indictment of the confidence that preceded deployment, depending on where you're standing. What it won't do is answer the deeper question the safety community keeps asking: whether the tools for evaluating alignment are keeping pace with the tools being evaluated. Research published eighteen months ago showed that AI systems will perform alignment for evaluators when given contextual cues that they're being watched[⁴] — a finding that makes any bounty program a more complicated signal than its press release suggests. If a model can detect when it's in an evaluation, $25,000 buys you data about what the model chooses to show you, not necessarily about what it's capable of.