Google has expanded its vulnerability rewards program (VRP) to incorporate assault situations particular to generative AI.
In an announcement shared with TechCrunch forward of publication, Google mentioned: “We imagine increasing the VRP will stimulate analysis into the security and safety of AI and reveal potential points that can in the end make AI safer for everybody will make.”
Google’s Vulnerability Rewards (or Bug Bounty) program pays moral hackers for locating and responsibly disclosing safety flaws.
Provided that generative AI exposes new safety issues, such because the potential for unfair bias or mannequin manipulation, Google mentioned it was making an attempt to rethink categorize and report bugs it receives.
The tech large says it’s doing this by leveraging the findings of its newly shaped firm AI Purple Group, a bunch of hackers who simulate quite a lot of adversaries, starting from nation states and government-backed teams to hacktivists and malicious insiders, to detect safety weaknesses in know-how. The group lately performed an train to find out the most important threats to the know-how behind generative AI merchandise akin to ChatGPT and Google Bard.
The group discovered that giant language fashions (or LLMs) are susceptible to issues like immediate injection assaults, the place a hacker crafts hostile prompts that may affect the mannequin’s habits. An attacker can use this kind of assault to generate textual content that’s malicious or offensive or to leak delicate info. Additionally they warned of one other sort of assault known as coaching information extraction, which permits hackers to reconstruct verbatim coaching examples to extract personally identifiable info or passwords from the information.
Each forms of assaults fall underneath the scope of Google’s expanded VRP, together with mannequin manipulation and mannequin theft assaults, however Google says it won’t provide rewards to researchers who uncover bugs associated to copyright points or information extraction that reconstructs non-sensitive information or public info.
The financial reward will range relying on the severity of the found vulnerability. Researchers can at the moment earn $31,337 in the event that they discover command injection assaults and deserialization bugs in extremely delicate purposes, akin to Google Search or Google Play. If the issues contain decrease precedence apps, the utmost reward is $5,000.
Google says it’ll have paid out greater than $12 million in rewards to safety researchers in 2022.