After 200+ days trying to coordinate disclosure of a critical ChatGPT container escape with @OpenAI, I'm going public.
I've documented the complete timeline of what happens when responsible disclosure fails.
📄 Full disclosure: https://t.co/GdUd8whNqg
The timeline:
- Feb 20: Reported via Bugcrowd → duplicate
- Mar 10: NEW container escape → no response
- Mar 17: VC escalation → no response
- Mar 31: CEO/CISO email → no response
- My submission DELETED from platform
200+ days total silence.
The vulnerability enables complete production infrastructure compromise:
Root access → SSH on 0.0.0.0:22 → Docker gateway → prod systems
Affects millions of ChatGPT users (Plus, Team, Enterprise).
I'm withholding the exploit technique (initial step) to prevent malicious use.
I consulted legal counsel across 3 jurisdictions.
I'm a 21yo security engineer. First major disclosure outside of web3. Just trying to do the right thing.
How long is "too long" when vendors don't respond?
Full technical writeup with evidence, timeline, and legal analysis:
https://t.co/GdUd8whNqg
Available for questions from researchers and journalists.
@OpenAI@sama
#InfoSec #ResponsibleDisclosure #ChatGPT
Est ce que quelqu’un a déjà fait deux masters 1 en même temps ? Par exemple un sur monmaster un autre sur une autre plateforme. C’est possible de gratter pour en passer un en examen terminale ?