← all news

Anthropic drafts a severity scale for AI jailbreaks

AI · · · source (anthropic.com)

When someone reports that they got a model to write malware, the industry has no shared way to say how bad that really is. Anthropic wants to fix that. Working with Amazon, Microsoft, and Google under its Glasswing initiative, it has published an early-draft framework for rating the severity of cyber jailbreaks, the tricks that get a model to bypass its safeguards.

The core of it is the Cyber Jailbreak Severity scale, five bands from CJS-0 (informational) to CJS-4 (critical), spaced logarithmically so each step means roughly an order of magnitude more risk. A score combines four axes: how much real capability the jailbreak hands an attacker beyond tools they already have (0 to 4 points), how broadly it applies across attack types (0 to 2), how easily it turns into a working attack (0 to 2), and how discoverable the technique is, from a confidential report to already public (0 to 2). A universal system-prompt override that unlocks everything scores the full 10, a clean CJS-4. A step-by-step recipe for writing malware lands at CJS-3, or 7.5. The calculated number is a floor, not a verdict: reviewers can raise it for something like a novel critical vulnerability in widely deployed software, but never lower it.

Alongside the scale, Anthropic sorted the security tasks its Claude Fable 5 classifiers police into four buckets, from prohibited uses like ransomware to benign ones like patch management. It also opened a HackerOne program so researchers can submit jailbreaks against the new rubric.

Why it matters

If you do security research or run a red team, this gives you a common vocabulary to argue about severity with vendors instead of trading anecdotes, and a public HackerOne channel to report through. The draft status matters too: the axes and thresholds are still open for feedback, so now is the moment to push back if the scoring misreads your part of the field.

AnthropicSecuritySafety