Anthropic and Glasswing partners publish the first AI jailbreak severity scale for Fable 5
The AI industry has had no shared language for how bad a jailbreak actually is. Anthropic changed that on July 2, publishing a five-band Cyber Jailbreak Severity (CJS) scale alongside a public HackerOne vulnerability disclosure program for Fable 5. Amazon, Microsoft, Google, and other Project Glasswing members co-developed the framework.
What
Anthropic posted two documents on July 2 tied to the global re-release of Claude Fable 5 per the company's announcement. The first is a detailed breakdown of Fable 5's four-tier cybersecurity classifier system: Prohibited Use, High-Risk Dual Use, Low-Risk Dual Use, and Benign Use. Each category lists specific examples of what the model will and will not do. Ransomware assistance, AV/EDR bypass, and C2 infrastructure sit in "Prohibited." Legitimate penetration testing and bug bounty work sit in "High-Risk Dual Use" and are also blocked for now, until Anthropic can verify authorized users.
The second document, and the more significant one, is the draft Cyber Jailbreak Severity (CJS) framework. It rates jailbreaks on a five-band scale: CJS-0 (Informational) through CJS-4 (Critical). The bands are designed to be exponential rather than linear, so each step up represents a materially larger risk.
Four axes drive the score. Two describe what the attacker gains: "capability gain" (how far beyond existing tools the jailbreak takes them) and "breadth" (how many distinct attack tasks the same technique unlocks). Two describe how fast the risk spreads: "ease of weaponization" and "discoverability." A jailbreak that scores zero on capability gain receives CJS-0 regardless of the other axes.
Alongside the framework, Anthropic opened a public HackerOne Cyber Jailbreak VDP where any security researcher can submit Fable 5 jailbreaks for review. The program does not pay bounties; it is a disclosure channel, not a bug bounty. Anthropic's existing paid model-safety bug bounty program (up to $25,000 for constitutional classifier bypasses) remains separate.
Why it matters
The CVE severity system (CVSS) took years to become useful, but it eventually gave security teams a shared shorthand for triage. The CJS framework is attempting the same thing for AI jailbreaks, at a moment when governments are writing export controls partly on the basis of whether a model can be jailbroken into producing dangerous outputs.
The stakes here are concrete. The US government suspended Fable 5 on June 12 after Amazon researchers found a bypass that the government interpreted as a safety failure per Anthropic's redeployment post. Anthropic's testing showed the same technique worked on GPT-5.5, Claude Opus 4.8, and Kimi K2.7. Without a shared severity standard, there was no agreed way to determine whether a reported technique actually crossed a meaningful line. CJS is a direct response to that gap.
For operators running Fable 5 in enterprise settings: the four-category classifier breakdown is the most actionable part. Fable 5 will block penetration testing work even with explicit authorization, because Anthropic has no real-time way to verify authorization. Ops teams building security tooling on top of the model need to route those workloads elsewhere, or wait for Anthropic to build verified-access controls.
Context and what to watch
The CJS framework is described as a draft; Anthropic is soliciting feedback at [email protected]. The HackerOne VDP opened July 1, one day after export controls were lifted, and the July 2 post formalized its scope and scoring rules.
Three things merit tracking: whether NIST picks up or critiques the CJS scale; whether Glasswing partners publish CJS-scored findings on competing models; and whether the VDP generates public disclosures that factor into future export-control reviews. Anthropic has asked for academic and civil society input, so the framework should evolve as submissions arrive.
Sources
- More details on Fable 5's cyber safeguards and our jailbreak framework (Anthropic, July 2, 2026, primary)
- Redeploying Claude Fable 5 (Anthropic, June 30, 2026, primary)
- Anthropic Cyber Jailbreak VDP on HackerOne (HackerOne, primary)
- Anthropic Details Claude Fable 5 Cybersecurity Safeguards and Jailbreak Framework (Cybersecurity News, secondary)