Vulnerability Disclosure

Establishing best practices for responsible vulnerability disclosure in biosecurity

Challenge: A need for nuanced and responsible vulnerability disclosures in biosecurity

AI-enabled biological design has amplified the dual-use potential of biological data and the tension between open science principles and biosecurity concerns. Unlike in cybersecurity, there are few established systems or norms for implementing responsible data-sharing and vulnerability testing in biosecurity. As a result, vulnerabilities in biological datasets and tools are harder to assess and often not disclosed to the broader research community.

In a recent red-teaming study published in Science, in collaboration with Microsoft, a vulnerability in synthesis screening protocols was found by demonstrating that AI-generated variants of proteins of concern could bypass protocols of several synthesis providers, thus showing the risks that AI-enable biological tools can pose. By working with synthesis providers, a patch was subsequently developed to make their screening protocols more resilient. Furthermore, IBBIS developed a managed access process where access to the datasets from the study needs to be requested and vetted, thus moving away from the openness/secrecy axis.

Our Work

IBBIS aims to follow up on its previous work and establish best practices for vulnerability testing and disclosure in biosecurity, with a focus on AI-enabled biological tool given the biological risks that vulnerabilities in certain tools could pose. IBBIS is leveraging its experiences and expanding into developing robust frameworks for responsible vulnerability disclosure and responses. The work will include:

Develop frameworks for vulnerability disclosure and responses for AI-enabled biological tools, through multistakeholder input
Design and deploy a rigorous and efficient user vetting and biological tool access approval protocol
Increase adoption of validated disclosure responses, including through managed data access
Engage journals, funders, and dataset owners to incorporate managed data access when publishing sensitive datasets, and to disclose potential biosecurity vulnerabilities
Expand and adapt the managed access framework to support multiple dataset types and sensitivity tiers

Publications

Wittmann, Bruce J et al. (2025). Strengthening nucleic acid biosecurity screening against generative protein design tools. Science 390:82-87.doi:10.1126/science.adu8578 | author PDF

Lewis, G., Millett, P., Sandberg, A., Snyder-Beattie, A. and Gronvall, G. (2019). Information Hazards in Biotechnology. Risk Analysis, 39: 975-981. https://doi.org/10.1111/risa.13235

P.D. Millett (2024). Five Things Not to Do When Discovering a Biosecurity Vulnerability. Applied Biosafety. Vol. 29, No. 3. (Online) https://www.liebertpub.com/doi/10.1089/apb.2023.0038

Project Lead | Rassin Lababidi

The International Biosecurity and Biosafety Initiative for Science (IBBIS)

Route de Frontenex 41A
1207 Geneva, Switzerland

IBBIS is a registered Swiss non-profit foundation (UID CHE-182.748.080)

IBBIS 2025

Contact

Privacy Notice