A CVSS for jailbreaks
arrives
The same yardstick that ranks software vulnerabilities is finally being drawn up for generative-AI jailbreaks. Reports that used to arrive in a different dialect from every lab will soon share one severity scale — and the first draft is already in motion.
Every vendor had a
different ruler
When the same jailbreak (a bypass of safety guards) is reported to three labs, Lab A calls it "Sev-2," Lab B calls it "High," and Lab C files a "3.2 out of 4." The numbers do not mean the same thing at the definition level, so lining up two reports and asking which is more urgent has been surprisingly hard.
The vulnerability world solved this roughly twenty years ago with CVSS (Common Vulnerability Scoring System) — quantifying attack vector, impact, and complexity so that different scorers land in the same neighborhood. Generative AI never had that shared ruler.
| Today (per-vendor) | Common metric (draft) |
|---|---|
| Words like "High" and "Sev-2" don't align | 0–10 scalar plus 4 severity labels |
| Same attack drifts across labs | Five defined axes absorb the drift |
| Cross-vendor comparison is craft work | Just attach the score to any report |
| Doesn't slot into internal SOC weighting | CVSS-compatible flow straight into SIEM |
Five axes measure the risk
The draft follows CVSS in spirit: five evaluation axes quantify how exploitable a given jailbreak actually is.
"Reach" asks what the attacker needs (only the public API, or internal credentials); "Scope" asks how far the blast radius goes, from data leakage to asset compromise. "Privilege" measures whether the model can be coaxed into tools it should never touch, "Stealth" whether guards and audit trails catch it, and "Reproducibility" whether anyone can rerun the exact recipe.
The composite score sits on a 0–10 scale and lands on the familiar Low / Medium / High / Critical ladder. Classic prompt-injection patterns that red teams already track can be re-scored on these five axes and finally compared across vendors on equal terms.
The draft is already at scale
Anthropic and other frontier labs are pooling draft rubrics and cross-scoring shared case studies to shake out disagreement. Contacts with FIRST — the community that already runs CVSS — mean the metric is being shaped to drop straight into the security stack teams already use.
Only when reports speak the same language
can defenses move at the same speed.
How red teams plug in
Ops teams don't have to abandon their internal scale. The common metric rides on top as a translation layer.
Layer over your rubric
Keep Sev-1 through Sev-4 in place, but attach the common score in every report. Nothing internal breaks, and external write-ups become instantly comparable.
Prioritize side by side
When reports across models sit on one ruler, patch and mitigation ordering stops being intuition and starts being a number your team can defend.
Route into SIEM
Because the format is CVSS-compatible, dashboards and vulnerability managers can ingest jailbreak scores through the same pipeline they use today.
Building a shared word
for "dangerous"
Anthropic and other major labs began drafting a common severity metric for AI jailbreaks, modeled on CVSS. Vulnerability severity has been scored differently by every vendor, making cross-vendor comparison hard. Just aligning the ruler unlocks priority, patch order, and bounty design in one motion.
Red-team leads can now map internal scoring onto a shared standard, bridging external reports and in-house metrics. The same acceleration CVSS gave the wider security field is about to reach generative AI — over the next one to two years.