Google is taking steps to deal with cyber dangers related to generative synthetic intelligence (GenAI) by increasing its bug bounty scheme, the Vulnerability Rewards Program (VRP) to embody attack scenarios particular to the generative AI provide chain.
Laurie Richardson, vice-president of belief and security, and Royal Hansen, vice-president of privateness, security and safety engineering, mentioned the agency believed taking this step wouldn’t solely convey potential safety points to mild faster and make AI safer for everybody, however incentivise the broader group to do extra analysis round AI security and safety.
“As a part of increasing VRP for AI, we’re taking a recent take a look at how bugs must be categorised and reported. Generative AI raises new and completely different issues than conventional digital safety, such because the potential for unfair bias, mannequin manipulation or misinterpretations of knowledge [or] hallucinations,” they mentioned.
“As we proceed to combine generative AI into extra merchandise and options, our Belief and Security groups are leveraging a long time of expertise and taking a complete method to raised anticipate and check for these potential dangers.
“However we perceive that outdoors safety researchers will help us discover, and tackle, novel vulnerabilities that may in flip make our generative AI merchandise even safer and safer. In August, we joined the White Home and business friends to allow 1000’s of third-party safety researchers to seek out potential points at DEF CON’s largest-ever public Generative AI Crimson Workforce occasion.
“Now, since we’re increasing the bug bounty programme and releasing further pointers for what we’d like safety researchers to hunt, we’re sharing these pointers in order that anybody can see what’s ‘in scope.’ We anticipate this can spur safety researchers to submit extra bugs and speed up the aim of a safer and safer generative AI,” they mentioned.
On the similar time, Google can be introducing new measures to raised safe the AI provide chain, saying numerous enhancements to its Safe AI Framework (SAIF) – which it launched in June 2023.
The SAIF was designed to help the business in creating reliable AI functions, with its core founding precept being the safety of the crucial provide chain elements that allow them in opposition to threats reminiscent of tampering, knowledge poisoning, and the manufacturing of dangerous content material.
As well as, Google is now increasing its open supply safety work and constructing on a previous team-up with the Open Supply Safety Basis. By way of this partnership, Google’s personal Open Supply Safety Workforce (GOSST) will use the SLSA framework to enhance resiliency in provide chains, and Sigstore to assist confirm that software program within the AI provide chain is what it says it’s. Google has already made obtainable prototypes for attestation verification with SLSA and mannequin signing with Sigstore.
“These are early steps towards making certain the protected and safe improvement of generative AI – and we all know the work is simply getting began,” mentioned Richardson and Hansen.
“Our hope is that by incentivising extra safety analysis whereas making use of provide chain safety to AI, we’ll spark much more collaboration with the open supply safety group and others in business, and in the end assist make AI safer for everybody.”
Endor Labs safety researcher Henrik Plate, who specialises in open supply software program (OSS) safety and AI, commented: “Making use of the identical safety rules and, the place attainable, tooling to AI/ML is a good alternative to develop safe programs from the bottom up.
“In comparison with the rising AI/ML house, OSS or component-based software program improvement exists for an extended time span, which generally makes it harder to bolt safety onto well-established applied sciences with out disrupting current software program improvement and distribution processes.
“There are numerous similarities between the manufacturing and sharing of software program elements and AI/ML artifacts: Coaching knowledge could be in contrast with software program dependencies, the educated mannequin with binary artifacts, and artifact registries like Maven Central or PyPI with mannequin registries like Hugging Face. And from the point of view of builders consuming third-party fashions, these fashions could be thought of like every other upstream dependency.
“Some assaults are additionally very comparable, e.g. the deserialisation of knowledge from untrusted sources, which has haunted some OSS ecosystems for a while already: Serialised ML fashions may comprise malicious code that executes upon deserialisation (an issue of the distinguished pickle serialization format already introduced at BlackHat 2011). Hugging Face and open supply tasks attempt to tackle this by devoted mannequin scanners.”
