Keeping GenAI technologies secure is a shared responsibility
Generative artificial intelligence (GenAI) is reshaping our world, from streamlining work tasks like coding to helping us plan summer vacations. As we increasingly adopt GenAI services and tools, we also face the emerging risks of their malicious use. Security is crucial, as even one vulnerability can jeopardize users’ information or worse. However, securing GenAI is too vast and complex for a single entity to handle alone. Mozilla believes sharing this responsibility is essential to successfully keep people safe.
To combat both bugs and vulnerabilities, the concept of the bug bounty program – which incentivizes a community of independent participants to identify flaws and report them – was first launched in the mid-1990s by Netscape to crowd source bug discovery in the Netscape Navigator web browser. Fast forward to 2002 and the next generation of bounty programs was born when iDefense rolled out the Vulnerability Contributor Program (VCP), the first security-specific all-vendor public bounty program. Later, in 2005, TippingPoint introduced the Zero Day Initiative (ZDI) which follows the same model, allowing researchers from anywhere in the world to profit from their auditing research on nearly any technology vendor.
More recently, companies like HackerOne and BugCrowd have commoditized bounty programs, allowing participating companies to incentivize the community to report directly to them, versus going through an intermediary like the VCP or ZDI. Some GenAI companies are enrolled in these programs, providing bounties for defects found in supporting software, but not the models themselves. Others have hosted temporary model bounties while rapidly building their GenAI applications. However, this approach benefits their own models rather than the foundational technologies. As companies move at light speed to be the first to market, can we trust that they’ll work with the same scrutiny on security and consider future implications? History has demonstrated that this usually is an afterthought.
