Some links on this page are affiliate links. We may earn a commission at no extra cost to you.
Updated: Jul 3, 2026
·
anthropicsecurityregulation

Anthropic proposes 'CVSS for AI jailbreaks' — a CJS-0 to CJS-4 severity scale, plus a HackerOne bounty on the restored Fable 5

TL;DR: On July 2, 2026, Anthropic — with Glasswing partners Amazon, Microsoft, and Google — proposed a Cyber Jailbreak Severity (CJS) scale: a standardized way to score how dangerous an AI jailbreak is, grading from CJS-0 (Informational) to CJS-4 (Critical) on an exponential scale, across four axes — capability gain, breadth, ease of weaponization, and discoverability. Think CVSS, but for AI jailbreaks. The stated goal: a common vocabulary so AI developers and governments can talk about jailbreak risk in consistent terms — precisely the gap that turned the Fable 5 bypass into an 18-day shutdown. Anthropic also opened a HackerOne program for researchers to submit jailbreaks in the restored Fable 5. The bigger picture: this is the AI industry’s safety-governance response to the Five Eyes “months, not years” cyber warning — the first standardized severity rubric for AI jailbreaks. Confirmed via Anthropic, Crypto Briefing, and Infosecurity Magazine.

What was proposed

Per Anthropic’s July 2 post and coverage from Crypto Briefing and Infosecurity Magazine:

Why this matters

Three reads.

1. It’s CVSS for AI jailbreaks — and that analogy is the whole point. Software security matured enormously once the industry agreed on CVSS, a shared 0-10 severity scale that let everyone — vendors, defenders, governments — talk about a vulnerability in the same terms. AI has had no equivalent for jailbreaks, which is exactly why the Fable 5 bypass spiraled: Anthropic saw a “narrow” jailbreak, the government saw a national-security threat, and with no common rubric to adjudicate, the result was an 18-day shutdown. A CJS scale gives both sides a way to say “this is a CJS-2, not a CJS-4” — turning a shouting match into a graded assessment. If it sticks, it’s the single most useful piece of governance infrastructure to come out of the whole saga.

2. It’s the industry’s self-governance answer to the Five Eyes warning. Yesterday’s Five Eyes “months, not years” cyber warning set the threat model; CJS is the industry’s structured response. Rather than wait for governments to impose a framework, four of the biggest players (Anthropic, Amazon, Microsoft, Google) proposed their own — a classic move to shape regulation by pre-empting it. The venue matters: this isn’t Anthropic alone, it’s a multi-vendor proposal, which is how industry standards actually form. Whether governments adopt CJS or build their own, the labs just planted a flag.

3. The HackerOne bounty is a notable trust signal. Opening a government-sensitive, just-restored model to crowdsourced jailbreak hunting is a confident move. It says Anthropic believes its hardened classifier (99%+ on the known bypass) will hold, and it enlists the security community to find the next one before adversaries do — the same bug-bounty logic that made software more secure, now applied to AI safety. For a model that was offline 18 days over a single jailbreak, inviting researchers to find more is a deliberate statement of confidence.

What it means for the AI tools you use

Directly, nothing today. CJS and the HackerOne program are safety infrastructure — you won’t see them in your Claude, ChatGPT, or Gemini session. But they matter for the stability of the tools you rely on:

For most readers, the takeaway is reassurance: the frontier models you use are getting a more grown-up safety and governance layer, which reduces the odds of another 18-day access scramble.

The honest caveats

CJS is a proposal, not a standard. Four major players backing it is meaningful, but it isn’t adopted policy or a government-recognized standard. Standards take time and often fragment (competing frameworks are common). Watch whether it gets broader industry and regulatory buy-in.

Self-governance has obvious incentives. Labs proposing the framework that will be used to judge their own models’ jailbreaks is a conflict worth naming. It’s reasonable — they have the expertise — but a severity scale designed by the vendors is not the same as an independent one. The multi-vendor nature helps; independent oversight would help more.

Severity scoring is genuinely hard. Assigning a jailbreak a CJS level requires judgment on capability, breadth, weaponization, and discoverability — none of which are cleanly measurable. Like CVSS (which is frequently disputed), CJS scores will be argued over. A rubric reduces disagreement; it doesn’t eliminate it.

The HackerOne program’s scope is narrow. It covers Fable 5 cyber jailbreaks specifically. That’s a sensible start, but it’s not a comprehensive AI-safety bounty, and its real value depends on researcher participation and how Anthropic acts on submissions.

What it changes for Pick Right readers

Nothing you can act on today — but this is the constructive sequel to the Fable 5 drama. The saga didn’t just end with the model coming back; it produced the industry’s first standardized jailbreak-severity framework and a crowdsourced safety program. That’s the difference between a one-off scramble and a maturing system. For anyone betting on frontier AI for the long run, a common language for risk — and a bug-bounty culture around it — is exactly the infrastructure that makes the tools more dependable.

For the full thread, see the Five Eyes cyber warning explainer, the Fable 5 restoration, the Fable 5 government shutdown, Executive Order 14409, the Mythos 5 trusted-partners clearance, Project Glasswing / Mythos, and the Claude review.

Frequently asked questions

What is the Cyber Jailbreak Severity (CJS) framework?

A proposed standard, published July 2, 2026 by Anthropic with Amazon, Microsoft, and Google, for scoring how dangerous an AI jailbreak is. It grades severity from CJS-0 (Informational) to CJS-4 (Critical) on an exponential scale, using four axes: capability gain (how far beyond existing attacker tools it goes), breadth (how many offensive tasks it enables), ease of weaponization, and discoverability. It's conceptually similar to CVSS, the standard severity scale for software vulnerabilities.

Why does a jailbreak severity scale matter?

Because right now there's no shared language for it. The Fable 5 bypass that triggered an 18-day government shutdown might have been handled more calmly if labs and regulators could have agreed 'this is a CJS-2, not a CJS-4.' A common rubric lets AI developers and governments communicate risk in consistent terms — which could prevent the next abrupt shutdown and make the government-gated regime more predictable.

What is the HackerOne program for Fable 5?

Anthropic launched a vulnerability-disclosure program on HackerOne where security researchers can submit potential cyber jailbreaks they discover in the newly restored Fable 5 for Anthropic's review. It's a crowdsourced way to find jailbreaks before malicious actors do — bug-bounty-style, but for AI safety rather than software bugs.

Is CJS an official standard now?

No — it's a proposal, developed by Anthropic with its Glasswing partners (Amazon, Microsoft, Google). It isn't adopted policy or a government standard yet. Whether it becomes an industry or regulatory standard is the thing to watch; for now it's a well-backed proposal from four major players.

Does this affect the AI tools I use?

Not directly today. But it's part of the safety layer maturing under the tools you use. A standardized severity framework plus crowdsourced jailbreak discovery should make frontier-model access more stable (fewer abrupt shutdowns) and the safeguards more robust over time. It's infrastructure that benefits users even though you never see it.

Sources

Related tool reviews

Questions or corrections? Email Pick Right. Want the full list? See all news.