Disclosures
All affected vendors were notified through their official security programs before any public release of this research.
Responsible Disclosure
This research follows coordinated disclosure practices. Each vendor was contacted through their designated security reporting channel with a complete technical writeup including:
- Description of the vulnerability class
- Proof-of-concept encoding and decoding code
- Measured results specific to the vendor's model
- Detection methodology and phantom-detect tool
- Recommended mitigations
No vendor data, user data, or production systems were accessed during this research. All testing was performed against public API endpoints using standard API access.
Disclosure Timeline
| Date | Vendor | Program | Status |
|---|---|---|---|
| 2026-01-15 | AI Vulnerability Rewards Program | Submitted | |
| 2026-01-18 | OpenAI | Bugcrowd | Submitted |
| 2026-01-20 | Anthropic | HackerOne | Submitted |
| 2026-01-22 | Microsoft | MSRC | Submitted |
| 2026-01-25 | Mozilla / 0DIN | 0DIN AI Vulnerability Program | Submitted |
| 2026-01-28 | Brave | HackerOne | Submitted |
| 2026-02-01 | xAI | Direct Disclosure | Submitted |
| 2026-02-05 | Amazon | AWS Security / Nova | Submitted |
| 2026-02-15 | NIST | RFI Response (AI 600-1) | Submitted |
Federal Engagement
NIST AI 600-1 RFI Response. Submitted February 2026. Provided technical details on the PHANTOM vulnerability class as a concrete example of LLM output manipulation risks not addressed by current AI security frameworks.
The response included measured data on cross-vendor encoding success rates, defense tool failure analysis, and recommendations for structural output monitoring standards.
Vendor Response Context
Structural covert channels in LLM outputs represent a new vulnerability class that does not fit cleanly into existing bug bounty taxonomies. Most vendor security programs are optimized for code-level vulnerabilities (RCE, SSRF, injection) or prompt injection attacks.
The PHANTOM vulnerability operates at the model behavior layer — the model is functioning as designed, but its compliance with structural formatting directives creates an exploitable covert channel. This architectural distinction affects how vendors triage and respond to these reports.