ownlife-web-logo
First LookAi SafetyJailbreakAnthropicJuly 11, 20266 min read

Anthropic's CJS Scale Wants to Be the CVE Standard for AI Jailbreaks

Anthropic's Cyber Jailbreak Severity scale rates AI jailbreaks across four axes. Here's what the CJS framework means for developers building on frontier models.

Sponsor

Anthropic's CJS Scale Wants to Be the CVE Standard for AI Jailbreaks

Anthropic's CJS Scale Wants to Be the CVE Standard for AI Jailbreaks

Anthropic's Cyber Jailbreak Severity scale rates AI jailbreaks across four axes. Here's what the CJS framework means for developers building on frontier models.

When a security researcher finds a software vulnerability, there's a well-established system for describing how bad it is. CVSS scores, CVE identifiers, and coordinated disclosure processes give everyone from kernel developers to CISOs a shared vocabulary. AI model jailbreaks have had nothing comparable — until now.

On July 2, Anthropic published a draft framework for scoring the severity of AI jailbreaks, proposing what it calls the Cyber Jailbreak Severity (CJS) scale. The framework rates jailbreaks from CJS-0 (informational, minimal risk) to CJS-4 (critical, broad capability unlocks) across four technical axes. It's explicitly designed not just for internal use, but as a proposed industry standard that Anthropic wants academia, other AI companies, civil society, and governments to adopt and critique.

The timing isn't accidental. This framework emerged directly from the chaos surrounding Anthropic's most capable model, Claude Fable 5, which was pulled from availability for nearly three weeks after US export controls were imposed in mid-June, as Anthropic's own account makes clear.

Why This Framework Exists: The Fable 5 Saga

To understand why Anthropic is pushing for standardized jailbreak scoring, you need the backstory.

Anthropic released Claude Fable 5 and Claude Mythos 5 on June 9. Both share the same underlying model, but Fable 5 shipped with strong safety classifiers for general use, while Mythos 5 — with fewer safeguards — was restricted to trusted partners in the government's Project Glasswing program for defensive cybersecurity work.

Three days later, the US government imposed immediate export controls on both models, as Anthropic's account details. The trigger: Amazon researchers had discovered a method to bypass Fable 5's safeguards, prompting it to identify software vulnerabilities in ways Anthropic's classifiers were designed to prevent. Because the export control took effect immediately and Anthropic had no reliable way to verify user nationality in real time, the company suspended access to both models for everyone, as Anthropic's own account makes clear.

The controls were lifted on June 30, and Fable 5 went back online July 1, per Anthropic's post. But the incident exposed a fundamental problem: when Amazon's researchers reported that jailbreak, there was no shared framework for describing how severe it actually was. Was it a minor prompt trick surfacing slightly more detailed security information, or did it functionally strip the model's safeguards entirely? Without a common scale, that conversation between Anthropic, Amazon, and the US government was harder than it needed to be.

The Four Axes: How Anthropic's CJS Scoring Works

The CJS framework evaluates jailbreaks along four dimensions, as detailed in Anthropic's framework announcement and summarized by ASCII News:

Capability gain. How much offensive expertise does the jailbreak unlock? A CJS-1 jailbreak might coax the model into giving slightly more detailed answers about known vulnerabilities. A CJS-4 jailbreak could enable the model to assist with novel exploit development that would otherwise require deep specialist knowledge.

Breadth. Does the jailbreak unlock a narrow category of restricted behavior, or does it blow past safeguards across the board? A jailbreak that only works for a specific type of query scores lower than one that generalizes.

Weaponization ease. Here the framework gets interesting. It distinguishes between offensive security expertise (the attacker's domain knowledge) and LLM expertise (how much prompt engineering skill is needed to execute the jailbreak). A jailbreak that requires a skilled red-teamer to craft but could then be packaged into a simple script for anyone to use scores high on weaponization.

Discoverability. How likely is it that someone would stumble onto this jailbreak independently? A technique that requires creative multi-step prompt manipulation is less urgent than one that a curious user might find by accident.

For developers building on top of these models, the practical implication is straightforward: this is the vocabulary your incident reports will eventually use. If you're integrating Claude (or any frontier model) into a product, understanding these axes helps you reason about your own risk surface.

What This Means for Developers

Three things matter here if you're shipping products that use frontier AI models.

Structured vulnerability reporting is coming. Anthropic launched a HackerOne program alongside this framework, inviting security researchers to submit discovered jailbreaks for structured review, as noted in Anthropic's framework announcement. This mirrors how traditional software vulnerability disclosure works, and it signals that AI model security is being pulled into the same professional ecosystem. If you're building on Claude's API, expect that jailbreak reports will start arriving with CJS scores attached, and you'll need processes for triaging them.

Your responsibility layer is getting clearer. The framework draws an unusually specific line between what Fable 5's classifiers block and what they don't. Anthropic's safeguards documentation breaks requests into four tiers: prohibited use, high-risk dual-use, low-risk dual-use, and benign activities. If you're building a security tool on top of Fable 5, you now have a published reference for what the base model is supposed to catch versus what you need to handle in your own application layer.

Model selection just got a new dimension. When multiple frontier models compete for your integration, jailbreak resilience becomes a differentiator you can actually compare — but only if multiple vendors adopt compatible scoring frameworks. Right now, this is Anthropic's proposal. Whether OpenAI, Google, or others adopt something similar will determine if CJS becomes a real standard or just one company's internal taxonomy.

The Bigger Picture: Standards vs. Reality

Anthropic is positioning this framework as a conversation starter, not a finished product. The company is soliciting feedback at a dedicated email address and explicitly describes what it published as an "early draft version," per its own post.

That's the right framing — several hard questions remain unanswered.

First, scoring subjectivity. CVSS scores for traditional software vulnerabilities are already criticized for being inconsistent across organizations. AI jailbreaks are arguably harder to score objectively because the harm depends heavily on context — who's using the model, what downstream systems it's connected to, what data it has access to. A CJS-3 jailbreak against a model powering a chatbot is very different from the same jailbreak against a model integrated into a network security pipeline.

Second, the framework is cybersecurity-focused. The "C" in CJS stands for "Cyber." Jailbreaks that produce harmful content in other domains — bioweapons information, CSAM, manipulation tactics — aren't directly addressed by this scoring system. A comprehensive industry standard would need to extend beyond cyber.

Third, there's a tension between transparency and security. Publishing detailed jailbreak severity criteria gives defenders a shared language, but it also gives attackers a roadmap for what the high-value targets look like. It is the same debate the security community had about full disclosure decades ago, now replaying in AI.

What Comes Next

Anthropic's approach here builds on its broader safety philosophy. The company's Constitutional AI research, published in 2022, established methods for training AI systems to self-critique and revise harmful outputs using written principles rather than human labels on every output. The CJS framework is a natural extension: if you're going to train models to refuse dangerous requests, you need a way to measure how well those refusals hold up under adversarial pressure.

The real test is adoption. If other major AI labs publish compatible severity frameworks — or better yet, collaborate on a shared one — developers get a genuine standard they can build processes around. If this remains Anthropic-only, it's useful but limited.

For now, if you're building on frontier models, the actionable move is simple: read the framework, understand the four scoring axes, and start thinking about how your application layer handles the categories of requests that fall between "clearly blocked" and "clearly allowed." That middle ground is where most real-world risk lives, and it's where your engineering decisions matter most.

What's your next step?

Every journey begins with a single step. Which insight from this article will you act on first?

Sponsor