Experts Warn: AI Vulnerability Testing Lacks Clear Rules (But There Is a Solution)

Writer: Jordan Sprogis

Jordan Sprogis, Contributing Expert

Jordan Sprogis is a creative writer and tech researcher who has been working on online content for the better part of a decade. She holds a bachelor's degree in professional writing from Western Connecticut State University and has devoted much of her career to crafting content for various web verticals, including CyberSpyder and The Echo. Since joining HostingAdvice, Jordan has combined her storytelling ability with her fascination for advancements in technology to pen over 500 articles geared toward industry pros and newcomers alike.

Editor: Lillian Castro

Lillian Castro, Senior Editor

Lillian Castro brings more than 30 years of editing and journalism experience to our team. She has written and edited for major news organizations, including The Atlanta Journal-Constitution and the New York Times, and she previously served as an adjunct instructor at the University of Florida. Today, she edits HostingAdvice content for clarity, accuracy, and reader engagement.

Reviewer: Cristian Lopez

Cristian Lopez, News Manager

Cristian Lopez uses his Business Marketing background from the University of Illinois at Chicago to create comfortable environments for customers, clients, and colleagues to share their thoughts and ideas openly. From interviewing tech leaders to conducting UX market research projects, Cristian knows the importance of storytelling — a key variable for innovation and inspiration. His goal at HostingAdvice is to wow readers on the ever-evolving nature of the tech industry and bring his audience the most reliable and exciting content on all things hosting.

Follow the HostingAdvice team for a daily dose of tech news, trending IT discussions, and interviews with the web's most innovative technologists.
Follow Us:
2.7k
1k

Every provider is, without a doubt, integrating AI into their platforms. Whether it’s via onboarding, chat support, building and design, or extra features and add-ons, AI tools are everywhere. And yet, HackerOne says AI-related issues jumped more than 200% last year alone.

That’s the nudge that pushed the bug bounty and cybersecurity platform to expand its regulatory framework to include a new Good Faith AI Research Safe Harbor, which specifically addresses the “legal gray zones” that AI security testing keeps running into.

Michael Woolslayer, Policy Counsel at HackerOne
Michael Woolslayer, Policy Counsel at HackerOne

“While the original framework [the Gold Standard Safe Harbor] was designed for traditional software security testing, the AI Safe Harbor goes further to address potential ambiguity by explicitly protecting testing of AI behaviors that don’t fit neatly into legacy vulnerability categories,” Michael Woolslayer, Policy Counsel at HackerOne, told us.

So, under the program, companies agree not to enforce Terms of Service or Acceptable Use restrictions against approved good-faith AI research, won’t pursue legal action over that testing, and will support researchers if third parties challenge their work.

OK — so what? Most hosting providers have already sat through the AI planning meetings. Should you add a builder? SEO tools? Generative copy? Automated security? Those are the easy questions; the fun ones. The harder ones are…less sexy.

Hosting providers typically rely on vendors to vet the AI tools they integrate. But when a third-party feature causes an issue for customers, clients will look to their host.

But adopting the AI Research Safe Harbor can also apply directly to hosting providers, not just their vendors. By adopting the program, Woolslayer says they can authorize and support research into prompt injections, hallucinations, and other AI-specific risks much easier.

AI Bugs Aren’t Traditional Bugs

Woolslayer explained to us that, unlike traditional software bugs, AI vulnerabilities don’t yet quite fit into existing vulnerability categories. For example, most bug bounty programs aren’t designed to recognize them (yet).

But HackerOne’s own report found that AI tools are not only expanding attack surfaces, but prompt injections are the most common entry point. Prompt injections can happen through any AI feature that accepts user input and passes it to a model. It’s that simple.

“Traditional bug bounty rules were built around code — clear, predictable logic with well-defined security boundaries,” Woolslayer added. “AI systems behave in dynamic and sometimes unexpected ways, and they’re vulnerable to misuse that isn’t always captured by conventional vulnerability frameworks.”

Prompt injections are among the easiest ways to violate a system. Source: HackerOne

Under the safe harbor framework, researchers can test AI systems you or your vendors own or control without fear of legal retaliation. You might be surprised to learn just how frequent these researchers are punished, too.

Take a look at Hewlett-Packard, which threatened a lawsuit against a security firm after a vulnerability exploit was publicly released. Or another case, which tells the story of a security researcher who was fined by a German court for reporting vulnerabilities they found in a company’s systems.

That’s what the AI Research Safe Harbor is trying to resolve, Woolslayer said. Even when researchers uncover real flaws, violating a platform’s Terms of Use is still violating the Terms of Use. No company thanks someone for finding a critical issue if the way they discovered it violated the rules.

And while no hosting provider or vendor or developer is required to adopt the framework, its existence is the reminder that if AI runs on your platform, whether you built it, licensed it, or bundled it, the risk will fall onto the provider that’s deploying it to their customers.

About the Author

Contributing Expert

Jordan Sprogis is a creative writer and tech researcher who has been working on online content for the better part of a decade. She holds a bachelor's degree in professional writing from Western Connecticut State University and has devoted much of her career to crafting content for various web verticals, including CyberSpyder and The Echo. Since joining HostingAdvice, Jordan has combined her storytelling ability with her fascination for advancements in technology to pen over 500 articles geared toward industry pros and newcomers alike.

« BACK TO: BLOG

Meet the Experts

Our team of experts with a combined 50+ years of experience in web hosting serve insight and advice to more than 20 million users!

We Know Hosting

$

4

8

,

2

8

3

spent annually on web hosting!