Anthropic unveils 'CVSS for Jailbreaks' and HackerOne program
Serge Bulaev
Anthropic and partners have released an early draft of a Cyber Jailbreak Severity (CJS) rubric, which may help rate AI jailbreaks in a way similar to how CVSS rates software bugs. This draft is not a finished standard and appears to ask for industry feedback before becoming official. Anthropic also opened a HackerOne program for researchers to report jailbreaks in Claude Fable 5, but it is a disclosure program, not a paid bounty. Fable 5 now uses an improved security classifier that reportedly blocks most known bypasses, but some issues may still occur because third-party tools might ignore security signals. There is no release date yet for the final CJS standard, and ongoing feedback will shape its future.

Anthropic has unveiled a 'CVSS for Jailbreaks,' a draft framework designed to standardize AI vulnerability scoring. The Cyber Jailbreak Severity (CJS) rubric was released alongside a new HackerOne disclosure program for reporting jailbreaks in Claude models. The rubric is a voluntary industry initiative by Anthropic and Project Glasswing partners, not mandated by a Commerce Department order. Partners Amazon, Microsoft, and Google confirmed their involvement, framing the rubric as a shared vocabulary rather than a finished standard.
Why a new rubric at all?
The Cyber Jailbreak Severity (CJS) rubric proposes a five-tier scoring system for AI model vulnerabilities, inspired by CVSS for software bugs. It assesses jailbreaks on capability gain, task breadth, ease of weaponization, and discoverability, creating a standardized way to triage probabilistic and context-dependent AI flaws.
Unlike the deterministic bugs that the traditional CVSS addresses, AI jailbreaks are probabilistic and context-dependent, making them difficult for security teams to triage effectively. The CJS proposal aims to fill this gap with a five-tier severity scale (CJS-0 to CJS-4) and four key scoring axes:
- Capability gain beyond existing widely available tools
- Breadth of tasks that benefit
- Ease of weaponization
- Discoverability of the technique
The Cloud Security Alliance notes that the Fable 5 incident triggered export controls, but the rubric remains a voluntary industry initiative rather than a regulatory requirement.
Early draft timeline
The framework development timeline shows rapid progress, though specific milestone dates remain limited in public documentation. The initiative emerged from collaboration between major AI labs through Project Glasswing, with the framework still labeled as a draft without a confirmed v1.0 release date.
HackerOne results so far
Anthropic clarifies that its HackerOne initiative is a formal vulnerability disclosure program (VDP), not a paid bounty. Findings from red-teaming are directly integrated into Anthropic's internal safety processes based on the severity and nature of the discovered threats. While public data on submissions is limited, the program provides a structured channel for security researchers to report potential vulnerabilities.
Mitigations on Claude models
Anthropic has implemented improved safety classifiers in its Claude models to address identified vulnerabilities. Anthropic's safety systems may trigger fallbacks to less-capable models in certain scenarios when borderline requests are detected. The company continues to refine these safety mechanisms based on ongoing research and testing.
What happens next
The CJS rubric currently has no official release date. Anthropic and its partners will review community feedback before publishing a finalized standard. In the interim, security teams can use the draft five-tier scale to pilot internal risk discussions. Researchers interested in testing Claude models can find submission portals linked from the Anthropic blog.
What is the Cyber Jailbreak Severity (CJS) framework and how does it work?
Anthropic, in collaboration with Amazon, Microsoft, and Google, has proposed an early draft of the Cyber Jailbreak Severity (CJS) framework - a standardized scoring system modeled on the Common Vulnerability Scoring System (CVSS) used for traditional software vulnerabilities. The framework rates AI jailbreaks on a five-tier scale from CJS-0 (Informational) to CJS-4 (Critical) based on four key criteria: capability gain (whether the jailbreak unlocks capabilities beyond existing tools), breadth of capability gain (how many distinct offensive tasks it enables), ease of weaponization (the effort required to turn the technique into an attack), and discoverability (how easily the method can be found). This represents a significant step toward industry-standardized triage for model vulnerabilities, allowing security teams to prioritize fixes with the same systematic approach used for conventional software security.
What is Anthropic's HackerOne program and what does it cover?
Anthropic has launched a HackerOne vulnerability disclosure program specifically focused on Claude models. Importantly, this is a Vulnerability Disclosure Program (VDP) rather than a paid bug bounty - researchers submit potential cyber jailbreaks for responsible disclosure and recognition, not monetary compensation. The program provides a formal channel for security researchers to report jailbreaks that could enable Claude models to assist with harmful cyber use cases such as software vulnerability discovery or exploit generation. Anthropic is actively soliciting external feedback to refine its approach to AI cybersecurity jailbreak risk.
What specific mitigations has Anthropic implemented for Claude models?
Anthropic has implemented improved cybersecurity safety classifiers in its Claude models to address identified vulnerabilities. The company continues to refine these safety mechanisms based on ongoing research and red-teaming activities. When safety systems detect potentially problematic requests, they may implement various mitigation strategies to prevent harmful outputs while maintaining model functionality for legitimate use cases.
How does the CJS framework compare to existing vulnerability scoring systems?
While the CJS framework draws explicit inspiration from CVSS, the broader security community has raised important questions about applying traditional scoring systems to AI vulnerabilities. CISA's Directive M-26-04 formally retired CVSS as a federal compliance mechanism for AI systems, replacing it with a four-variable risk matrix that better captures exploitability in AI contexts. Critics note that CVSS was designed for deterministic software bugs with binary exploitability, whereas AI attacks are probabilistic and context-dependent - a jailbreak might work 50% of the time or 5% of the time, with significantly different risk implications. Research indicates CVSS scores do not correlate well with actual exploitation likelihood, highlighting the need for AI-specific vulnerability assessment frameworks.
What is the current status and timeline for the CJS framework?
The CJS framework remains in active development as an early draft with no formal 1.0 release date announced. Anthropic is actively collecting feedback to refine the framework into a practical, industry-wide standard. The framework's development emerged from Project Glasswing - a collaboration between major AI labs - as a voluntary industry initiative. The partners aim to refine the draft into a "practical, agreed-upon standard" for industry-wide communication about jailbreak severity, though adoption timelines remain flexible given the voluntary nature of the initiative.