Security: Remote code execution vulnerabilities in CodeX

[kodem-eran]

I found 2 remote code execution vulnerabilities in CodeX but I'm not able to get an official response and these vulnerabilities are open even after over 2 month since my first report and they are still open in CodeX.

I tried to contact security@openai.com (as described in README) - few months ago
I escalated to OpenAI's program in Bugcrowd, and they commented that this RCE is not relevant even though it allows me to execute any code I want on CodeX users with the user's permission (outside the sandbox).

The only requirement of the RCE is to enable network searches of CodeX, and in similar vulnerabilities I found in other vendors, they classified it with a CVSS of 8.7

Links for the report of the vulnerabilities:
https://bugcrowd.com/submissions/7d48a97d-401e-4cab-b0cb-1099ec99ef15
https://bugcrowd.com/submissions/9b3ed4b8-f552-47fb-9789-6eee5d60ab06

If you have any questions, please let me know
Eran

[kodem-eran]

I'm still waiting for a response on these tickets :/