Here are some news items our team found interesting over the past week, which you might have missed.
- OpenAI released GPT-5 in its ChatGPT platform, but researchers almost immediately discovered and published the ChatGPT5 system prompt, reminding us that system prompts should not contain anything critical or sensitive.
- CISA (US Cybersecurity & Infrastructure Security Agency) pleged continued support of the CVE program, an important message after April’s de-funding scare.
- The AppSec Village at DEFCON33 ran, with many engaging and educational talks. Keep an eye on the YouTube channel, but be patient – it can take a few months.
ChatGPT-5 System Prompt immediately leaked
OpenAI released GPT-5 in its ChatGPT platform, but researchers almost immediately discovered and published the ChatGPT5 system prompt, reminding us that system prompts should not contain anything critical or sensitive.
The system prompt includes several interesting instructions, including broad permission to search the web in response to user prompts, and more instructions relating to suggesting alternatives when prompts or outputs violate guardrails and/or content policies.
The prompt also includes provisions for executing Python code within a sandbox, retreiving user-provided URLs, and favoring web search information over general model responses when the user prompt is “high stakes”. It uses the possibility of recommending an outdated software pacakage version as one example of a high-stakes situation.
CISA pledges continued support for CVE
CISA (US Cybersecurity & Infrastructure Security Agency) pleged continued support of the CVE program, an important message after April’s de-funding scare.
However, the discussion at BlackHat also served as a reminder that continued funding of the CVE and related programs relies on the US Congress to continue to authorize the budget, reiterating some concerns the global community has around the US-centric nature of the MITRE CVE database.
AppSec Village finishes out at DEF CON 33
The AppSec Village at DEFCON33 ran, with many engaging and educational talks. Keep an eye on the YouTube channel, but be patient – it can take a few months.
Meanwhile, the above-linked event page has social media contacts and related information for many of the talks and presenters, which can be a great way to build your network and get an overview of the presented topics. And of course, since several of us at Checkmarx Zero help out with AppSec Village every year: we encourage you to keep an eye on the RFP section and submit your talk, workshop, and pod ideas!