共有:
Jailbreak Severity Standard

A CVSS for jailbreaks
arrives

The same yardstick that ranks software vulnerabilities is finally being drawn up for generative-AI jailbreaks. Reports that used to arrive in a different dialect from every lab will soon share one severity scale — and the first draft is already in motion.

AI Navigate Editorial·2026.07.06·6 min read
TODAY Lab A Lab B Lab C 3.2 / 4 High Sev-2 UNIFIED 0 2 4 6 8 10 Same attack, same yardstick
01
The Problem

Every vendor had a
different ruler

When the same jailbreak (a bypass of safety guards) is reported to three labs, Lab A calls it "Sev-2," Lab B calls it "High," and Lab C files a "3.2 out of 4." The numbers do not mean the same thing at the definition level, so lining up two reports and asking which is more urgent has been surprisingly hard.

The vulnerability world solved this roughly twenty years ago with CVSS (Common Vulnerability Scoring System) — quantifying attack vector, impact, and complexity so that different scorers land in the same neighborhood. Generative AI never had that shared ruler.

Today (per-vendor)Common metric (draft)
Words like "High" and "Sev-2" don't align0–10 scalar plus 4 severity labels
Same attack drifts across labsFive defined axes absorb the drift
Cross-vendor comparison is craft workJust attach the score to any report
Doesn't slot into internal SOC weightingCVSS-compatible flow straight into SIEM

02
How It Scores

Five axes measure the risk

The draft follows CVSS in spirit: five evaluation axes quantify how exploitable a given jailbreak actually is.

4.5 7.5 5.5 8.5 3.5 Reach Scope Privilege Stealth Repro Attack Vector Impact Scope Escalation Detectability Reproducibility SEVERITY BY AXIS
FIG. The five axes collapse into a 0–10 composite score and a Low / Medium / High / Critical label.

"Reach" asks what the attacker needs (only the public API, or internal credentials); "Scope" asks how far the blast radius goes, from data leakage to asset compromise. "Privilege" measures whether the model can be coaxed into tools it should never touch, "Stealth" whether guards and audit trails catch it, and "Reproducibility" whether anyone can rerun the exact recipe.

The composite score sits on a 0–10 scale and lands on the familiar Low / Medium / High / Critical ladder. Classic prompt-injection patterns that red teams already track can be re-scored on these five axes and finally compared across vendors on equal terms.

03
By The Numbers

The draft is already at scale

7
Frontier labs at the table
5
Evaluation axes (Attack Vector et al.)
Q4
Target window for v1.0 in 2026

Anthropic and other frontier labs are pooling draft rubrics and cross-scoring shared case studies to shake out disagreement. Contacts with FIRST — the community that already runs CVSS — mean the metric is being shaped to drop straight into the security stack teams already use.


Only when reports speak the same language
can defenses move at the same speed.


04
In Practice

How red teams plug in

Ops teams don't have to abandon their internal scale. The common metric rides on top as a translation layer.

Layer over your rubric

Keep Sev-1 through Sev-4 in place, but attach the common score in every report. Nothing internal breaks, and external write-ups become instantly comparable.

Prioritize side by side

When reports across models sit on one ruler, patch and mitigation ordering stops being intuition and starts being a number your team can defend.

Route into SIEM

Because the format is CVSS-compatible, dashboards and vulnerability managers can ingest jailbreak scores through the same pipeline they use today.


05
Frontier

Building a shared word
for "dangerous"

Anthropic and other major labs began drafting a common severity metric for AI jailbreaks, modeled on CVSS. Vulnerability severity has been scored differently by every vendor, making cross-vendor comparison hard. Just aligning the ruler unlocks priority, patch order, and bounty design in one motion.

Red-team leads can now map internal scoring onto a shared standard, bridging external reports and in-house metrics. The same acceleration CVSS gave the wider security field is about to reach generative AI — over the next one to two years.

AI Navigate — Daily Update · 2026.07.06