DEV Community

Breach Protocol
Breach Protocol

Posted on • Originally published at groundtruth.day

Four rival AI labs propose a shared severity scale for jailbreaks

Four of the biggest names in AI - Anthropic, Amazon, Microsoft, and Google - jointly proposed a standardized scale for rating how dangerous an AI jailbreak actually is. Called the Cyber Jailbreak Severity framework, it runs from CJS-0 (informational) to CJS-4 (critical), and it targets a real problem: in today's discourse, every reported jailbreak sounds equally alarming, whether it produced a mildly off-policy joke or genuinely lowered the bar to a serious cyberattack.

Key facts

  • CJS is a five-level scale, CJS-0 (informational) to CJS-4 (critical), described as 'logarithmic in spirit' - each level is a substantially greater risk than the last.
  • It was proposed jointly by Anthropic, Amazon, Microsoft, and Google.
  • A jailbreak rates as severe only if it goes beyond what is already widely available and materially reduces the expertise, time, or resources for a harmful task.
  • The labs are targeting formalization by August 1, 2026.

The background is that 'jailbreak' has become a badly overloaded word. A jailbreak is any prompt that gets a model to bypass its safety training and produce something it was trained to refuse. But that covers an enormous range - from tricking a chatbot into writing an edgy limerick to, in principle, extracting a genuinely dangerous capability. When every one of these is reported with the same breathless framing, it becomes impossible for companies, researchers, and governments to tell which findings actually matter. The CJS proposal is an attempt to impose a common vocabulary, the way the cybersecurity world has severity scores for software vulnerabilities.

The most important part of the framework is its threshold for calling something severe. Under CJS, a technique is only rated as high-severity if it clears two bars at once: it must go beyond what is already widely available (so eliciting information anyone could find with a search engine doesn't count), and it must materially reduce the expertise, time, or resources needed to accomplish a genuinely harmful cyber task. This 'marginal uplift' test is a deliberate corrective to the common failure mode where a scary-looking model output gets treated as a catastrophe even though it provided nothing a determined person couldn't already get. The scale being 'logarithmic in spirit' reinforces the point - the gap between CJS-3 and CJS-4 is meant to be enormous, reserving the top of the scale for truly critical findings.

An analogy: it is the difference between a fire alarm that rings the same way for burnt toast and a building fire, versus a system that tells you which one you're actually dealing with. The value is entirely in the calibration.

Why it matters: standardization between rival labs is rare and telling. When four companies that compete fiercely on models agree on a shared measurement, it usually signals that the current chaos is costing all of them - here, in credibility with regulators and in the signal-to-noise of safety research. A common severity language also makes it possible to have a sane public conversation: instead of 'researchers jailbroke the AI' headlines that convey nothing about actual risk, a CJS-1 finding and a CJS-4 finding can be discussed as the very different things they are. It connects to the broader safety push visible in the day's other big story, Anthropic's tools for reading a model's hidden intentions, and to the recent reversal of export controls on Anthropic's top models.

The honest caveat: a proposed framework is not an adopted standard, and the hard part is always the judgment calls - who decides whether a given technique 'materially reduces' the resources for an attack, and how transparently. Severity scales in cybersecurity have long been criticized for inconsistent scoring across organizations, and there's no reason to expect AI jailbreaks to be easier to rate. But a shared, deliberately conservative scale that reserves alarm for genuine uplift is a meaningful improvement over a world where every jailbreak is a five-alarm fire. The August 1 formalization target is the date to watch.


Originally published on Ground Truth, where every claim is checked against the primary source.

Top comments (0)