DANCEKNIGHTPRIME
EMDEXTER
CULTURE · MOVEMENT · DOMINANCE
HOUSE OF KONG
HOVER OR TOUCH TO ENTER
LOADING



















Chimp Magnet Mansion House of Kong
◆   ◆   ◆
Chimp Magnet
Trillionaire Club
The Mansion
House of Kong
◆   ◆   ◆
Loading posts…
Chimp Magnet Penthouse House of Kong
◆   ◆   ◆
Chimp Magnet
Trillionaire Club
The Penthouse
House of Kong
◆   ◆   ◆



Breaking News

header ads
Intercepting Transmission…
UNNECESSARYHouse of Kong · Live Feed
FILE --/--

Inside the Jailbreak Severity Framework

Fable 5 wasn’t recalled for being too weak. It was recalled because Amazon researchers found a way to turn it into a vulnerability-hunting tool, and Anthropic discovered cheaper models could do the same thing. Day 30 breaks down the new safety classifier, the four-axis jailbreak severity framework Anthropic built with Amazon, Microsoft, and Google, and what it actually means to grade a model exploit by capability gain, breadth, weaponization ease, and discoverability.
Inside The Machine
Inside The Machine
Authored by Neal Lloyd  ·  Daily AI Series
Inside The Machine
← All Episodes
30
Issue 30  ·  AI Corner  ·  Inside The Machine
Day 30
AI Safety · Jailbreaks · Grading a Model Exploit Like a Vulnerability

Inside the Jailbreak Severity Framework
Fable 5 Wasn’t Recalled for Being Too Weak. It Was Recalled Because a Researcher Turned It Into a Vulnerability-Hunting Tool — and Anthropic Found Cheaper Models Could Do the Same Thing.

The technical story behind the Fable 5 recall finally has a shape. Amazon researchers discovered a way to prompt Fable 5 into hunting for software vulnerabilities and writing code to exploit them — and when Anthropic tested whether cheaper models like GPT-5.5 could do the same thing, they could. The response was not just a patch. It was a four-axis framework, built with Amazon, Microsoft, Google, and other Project Glasswing partners, for grading how dangerous a jailbreak actually is. Day 30 breaks down what that framework measures and why it matters more than the recall itself.

Neal Lloyd
Neal Lloyd
Author  ·  Inside The Machine  ·  July 2026
12 min read

Fable 5 did not break. Its guardrails did, briefly, and the fallout tells you more about where AI safety is actually heading than any single product launch could. A model finding software vulnerabilities was never really the story. The story is that once one lab found the trick, testing showed three other companies’ models could do it too — and the industry’s response was not to patch one model, but to build a shared vocabulary for how dangerous any jailbreak is, on any model, going forward.

Neal Lloyd  ·  Inside The Machine, Day 30

Here is the fuller version of the story Ground Truth covered across Episodes 8 through 20: on June 12th, the US government imposed export controls on Claude Fable 5 and Mythos 5, and Anthropic pulled both offline worldwide. The trigger, now confirmed, was that Amazon researchers had discovered a way to prompt Fable 5 into hunting for software vulnerabilities and writing code to exploit them — a genuine offensive security capability, not a theoretical concern. Anthropic then tested whether cheaper, more widely available models could replicate the technique. GPT-5.5 could. So could others. The capability was never unique to Fable 5; it was a property of frontier-adjacent models generally, discovered first in the one being tested most closely. This is Day 30 of Inside The Machine. Today we go inside the actual fix — a new safety classifier, and a four-axis severity framework built with three of Anthropic’s biggest competitors — and ask what it means to grade a model jailbreak the way a security team grades a software vulnerability.

Section I — What Actually Happened to Fable 5

A Model Learned to Hunt Vulnerabilities. So Did the Competition.

The mechanism matters more than the headline. Amazon researchers, testing Fable 5 as part of routine red-team work, found they could coax it into identifying software vulnerabilities and then generating working exploit code for them — taking the model beyond describing a weakness into actively producing a usable attack. That is a meaningfully different capability than the kind of jailbreak that gets a model to say something it shouldn’t. It is a model doing offensive security work end-to-end, unsupervised, on request.

Anthropic’s response, once the finding reached them, was not to assume the capability was unique to Fable 5. The company tested cheaper, more widely deployed models — including OpenAI’s GPT-5.5 — specifically to see whether the same technique worked elsewhere. It did. That single test result reframes the entire recall: the US government pulled one company’s model offline for nineteen days over a capability that, per Anthropic’s own testing, several other companies’ models already possessed and were serving to the public the entire time.

That is the finding this series flagged in Episode 19 as the credibility question underneath the restoration — if the capability was never unique, the export-control framework treated a shared industry risk as a single-company problem. The fix Anthropic built in response, covered below, is the first real attempt to stop treating it that way.

⚡ The New Safety Classifier, By the Numbers

Anthropic’s restoration post describes a new safety classifier layered specifically against the reported vulnerability-hunting technique. The company states it blocks the exact trick Amazon flagged in over 99% of cases — a high bar, but not the same thing as zero, and a reminder that a classifier is a mitigation layered on top of a capability, not a removal of the capability itself.

Section II — The Four-Axis Framework

Grading a Jailbreak the Way a Security Team Grades a Vulnerability

Working with Amazon, Microsoft, Google, and other Project Glasswing partners, Anthropic proposed a jailbreak severity framework that grades any given bypass across four axes rather than treating every jailbreak as equally alarming. Capability gain measures how much new offensive power the jailbreak actually unlocks beyond what a determined user could already do with existing tools. Breadth measures how many models or systems the technique works against — a trick that only works on one model is a narrower problem than one that generalises across a class of models, as the Fable 5 exploit did. Ease of weaponisation measures how much additional technical skill is required to turn the jailbreak into an actual usable attack. Discoverability measures how likely independent researchers, criminals, or state actors are to find the same technique on their own, with or without a public disclosure.

The framework borrows its logic directly from vulnerability management in traditional cybersecurity, where a CVE score tells a security team how urgently to patch something based on exploitability and impact, not just on whether a bug exists at all. Applying the same discipline to AI jailbreaks is a meaningful maturation: it replaces a binary panic response — recall the model, ban the query, pull the plug — with a graduated one, where the response scales to the actual severity rather than to how alarming the headline sounds.

The framework also does something quieter and arguably more important: it gives four major labs a shared vocabulary for discussing jailbreaks with each other and with regulators, without each company inventing its own private severity scale that nobody else can compare against. That shared vocabulary is precisely the kind of foundational infrastructure this series has argued, in the governance conversations covered on Day 25 and Day 29, that AI safety has been missing at the international level.

A CVE score tells a security team whether to patch something tonight or next quarter. Until this week, the AI industry had no equivalent for its own jailbreaks — every recall looked the same regardless of how dangerous the underlying exploit actually was. A four-axis severity scale, shared across four competing labs, is the first sign that AI safety is starting to borrow the discipline cybersecurity built decades ago.
Neal Lloyd  ·  Inside The Machine, Day 30
Section III — What This Actually Changes Going Forward

A Framework Only Works If Labs Actually Use It Before the Next Crisis

A severity framework only matters if it changes what happens the next time a lab finds a comparable exploit. The test case is straightforward: does the next discovery of a Fable-5-style capability get a proportionate, four-axis-informed response, or does it default back to the same blunt recall-first instinct that cost Anthropic nineteen days and a supply-chain risk designation this time? The framework is only as credible as the first real crisis it gets applied to.

There is also an incentive question underneath the technical one. Grading jailbreaks honestly sometimes means admitting a competitor’s model has the same flaw your own model does — which is exactly what Anthropic did by testing GPT-5.5 and publishing the result. That kind of disclosure only keeps happening if it does not become a one-way tax on the company doing the disclosing. Four labs sharing a severity vocabulary works only if all four are equally willing to name their own models’ failures, not just each other’s.

The framework also does not resolve the governance question this series raised on Day 29: national regulators still each decide independently how to respond once a severity score is assigned. A shared way of measuring the problem is real progress. It is not the same as a shared, binding way of responding to it — and that gap is where the next several months of AI safety policy will actually get decided.

The real test of the jailbreak severity framework is not whether it exists. It is whether Anthropic, Amazon, Microsoft, and Google keep using it honestly once one of their own models is the one that fails the grade — because a severity scale that only gets applied to the company that already got caught is not a framework, it is a press release.
Neal Lloyd  ·  Inside The Machine, Day 30
— Neal Lloyd
Inside The Machine, Day 30  ·  July 5 2026
Neal Lloyd
About The Author Neal Lloyd
Neal Lloyd
Author  ·  Series Creator
Authored by Neal Lloyd

Neal Lloyd writes about technology, human adaptation, and the uncomfortable questions nobody wants to answer at dinner. Inside The Machine is his ongoing daily series on AI.

By The Numbers
99%+
Rate at which Anthropic’s new safety classifier blocks the reported vulnerability-hunting technique, according to the company’s own restoration announcement.
4
Axes in the jailbreak severity framework: capability gain, breadth, ease of weaponisation, and discoverability.
19
Days Fable 5 spent offline — the length of the crisis that produced the framework, and the cost of not having one sooner.
Key Concepts
Vulnerability-Hunting Jailbreak
The specific technique Amazon researchers found in Fable 5: prompting the model to identify software vulnerabilities and generate working exploit code, rather than merely describing a weakness.
Jailbreak Severity Framework
The four-axis system Anthropic built with Amazon, Microsoft, Google, and other Project Glasswing partners to grade how dangerous a given jailbreak actually is, rather than treating every bypass as equally alarming.
Capability Gain (Axis 1)
How much new offensive power a jailbreak unlocks beyond what a determined user could already achieve using existing, non-AI tools.
Breadth (Axis 2)
How many different models or systems a jailbreak technique works against — the property that reframed the Fable 5 recall once testing showed GPT-5.5 shared the same flaw.
Discoverability (Axis 4)
How likely independent researchers, criminals, or state actors are to find a given jailbreak technique on their own, with or without any public disclosure of it.
Inside The Machine
An ongoing daily editorial series on artificial intelligence.
Authored by
Neal Lloyd
Day 30  ·  Ongoing Series  ·  July 5 2026  ·  © Neal Lloyd







Chimpmagnet Trillionaire Club

W/S move A/D strafe drag to look

W/SMove
A/DStrafe
DragLook
Untitled
Work No. 01
Drag to look around
Click to explore





You might also like
Related Posts
1 / 6
Finding related posts