What version of the Codex App are you using (From “About Codex” dialog)?
Version 26.422.21637 (2056)
What subscription do you have?
Pro
What platform is your computer?
Darwin 25.4.0 arm64 arm
What issue are you seeing?
Summary
A Codex research run was flagged for potentially high-risk cyber activity, but the task was passive product and service research on publicly accessible pages of a German web hosting provider.
The goal was to understand the provider's webhosting products, tariffs, documentation, and available service features. The run crawled public pages, sitemaps, robots.txt, and publicly linked documentation pages in order to build a structured feature/service overview.
This was not a cybersecurity assessment, vulnerability scan, penetration test, exploit research, credential search, infrastructure enumeration, or attempt to access non-public systems.
I can provide the exact provider name, thread details, and screenshots privately if needed.
Banner text
The UI displayed a cyber-safety banner similar to:
This request has been flagged for potentially high-risk cyber activity. Learn more here: https://platform.openai.com/docs/guides/safety-checks/cybersecurity
The chat also showed a German product banner indicating that the chat was flagged because of a possible cybersecurity risk.
Impact
The flag makes the thread appear as if it involved potentially unsafe cybersecurity work, even though the intent and activity were ordinary product research.
This creates uncertainty about whether the thread can continue normally and whether future passive research tasks involving technical product documentation may be incorrectly classified.
The likely trigger seems to have been that the public documentation contains technical terms such as DNS, SSH, SSL, databases, mail, APIs, robots.txt, and sitemaps, and that the research run explored a relatively large number of public HTML pages.
When
Date: April 24, 2026
Approximate context: during a Codex chat about researching public webhosting products and documentation in the project_research-data workspace/project.
Environment
Product: Codex desktop app
Model shown in UI: GPT-5.5, extra high reasoning
Workspace/project: project_research-data
Task/thread title: Research public webhosting products and documentation
Target website: public website and publicly linked documentation pages of a German web hosting provider
Platform: macOS / Darwin 25.4.0 arm64 arm
Cyber verification: I verified myself through https://chatgpt.com/cyber after the flag appeared.
Request
Please review this flag as a likely false positive and remove the cyber-safety flag from the chat/thread if appropriate.
I have also completed the cyber verification flow at https://chatgpt.com/cyber.
If the flag cannot be removed, please clarify how passive product research over public technical documentation should be phrased or scoped in Codex to avoid being mistaken for high-risk cybersecurity activity.
The intended scope was:
- Passive product and service research only
- Publicly accessible web pages only
- No login areas
- No vulnerability discovery
- No exploit development
- No credential search
- No scanning or probing of infrastructure
- No attempt to bypass access controls
What steps can reproduce the bug?
- Start a Codex Desktop App thread for passive product research on a German web hosting provider's public website and public documentation.
- Ask Codex to collect and structure information about public webhosting products, tariffs, service features, and documentation.
- Allow Codex to crawl publicly accessible pages, including public sitemaps, robots.txt, and publicly linked documentation/help pages.
- The researched public documentation includes technical product terms such as DNS, SSH, SSL, databases, mail, APIs, robots.txt, and sitemaps.
- After the run explored a larger number of public HTML pages, the thread was marked with a cyber-safety warning for potentially high-risk cyber activity.
No login areas, private systems, vulnerability testing, exploit research, credential search, infrastructure scanning, or access-control bypass were requested or performed.
What is the expected behavior?
Codex should not mark a thread as potentially high-risk cyber activity when the request is limited to passive product research over publicly accessible web pages and documentation.
If technical webhosting terminology such as DNS, SSH, SSL, databases, mail, APIs, robots.txt, or sitemaps appears in public product documentation, Codex should treat that as ordinary product/documentation content unless the user requests security testing, exploitation, credential discovery, scanning, probing, or access to non-public systems.
At minimum, the UI should provide a clearer way to distinguish passive public documentation research from actual cybersecurity activity, or provide a way to request review/removal of a false-positive flag.
Additional information
No response
What version of the Codex App are you using (From “About Codex” dialog)?
Version 26.422.21637 (2056)
What subscription do you have?
Pro
What platform is your computer?
Darwin 25.4.0 arm64 arm
What issue are you seeing?
Summary
A Codex research run was flagged for potentially high-risk cyber activity, but the task was passive product and service research on publicly accessible pages of a German web hosting provider.
The goal was to understand the provider's webhosting products, tariffs, documentation, and available service features. The run crawled public pages, sitemaps, robots.txt, and publicly linked documentation pages in order to build a structured feature/service overview.
This was not a cybersecurity assessment, vulnerability scan, penetration test, exploit research, credential search, infrastructure enumeration, or attempt to access non-public systems.
I can provide the exact provider name, thread details, and screenshots privately if needed.
Banner text
The UI displayed a cyber-safety banner similar to:
The chat also showed a German product banner indicating that the chat was flagged because of a possible cybersecurity risk.
Impact
The flag makes the thread appear as if it involved potentially unsafe cybersecurity work, even though the intent and activity were ordinary product research.
This creates uncertainty about whether the thread can continue normally and whether future passive research tasks involving technical product documentation may be incorrectly classified.
The likely trigger seems to have been that the public documentation contains technical terms such as DNS, SSH, SSL, databases, mail, APIs, robots.txt, and sitemaps, and that the research run explored a relatively large number of public HTML pages.
When
Date: April 24, 2026
Approximate context: during a Codex chat about researching public webhosting products and documentation in the
project_research-dataworkspace/project.Environment
Product: Codex desktop app
Model shown in UI: GPT-5.5, extra high reasoning
Workspace/project:
project_research-dataTask/thread title: Research public webhosting products and documentation
Target website: public website and publicly linked documentation pages of a German web hosting provider
Platform: macOS / Darwin 25.4.0 arm64 arm
Cyber verification: I verified myself through https://chatgpt.com/cyber after the flag appeared.
Request
Please review this flag as a likely false positive and remove the cyber-safety flag from the chat/thread if appropriate.
I have also completed the cyber verification flow at https://chatgpt.com/cyber.
If the flag cannot be removed, please clarify how passive product research over public technical documentation should be phrased or scoped in Codex to avoid being mistaken for high-risk cybersecurity activity.
The intended scope was:
What steps can reproduce the bug?
No login areas, private systems, vulnerability testing, exploit research, credential search, infrastructure scanning, or access-control bypass were requested or performed.
What is the expected behavior?
Codex should not mark a thread as potentially high-risk cyber activity when the request is limited to passive product research over publicly accessible web pages and documentation.
If technical webhosting terminology such as DNS, SSH, SSL, databases, mail, APIs, robots.txt, or sitemaps appears in public product documentation, Codex should treat that as ordinary product/documentation content unless the user requests security testing, exploitation, credential discovery, scanning, probing, or access to non-public systems.
At minimum, the UI should provide a clearer way to distinguish passive public documentation research from actual cybersecurity activity, or provide a way to request review/removal of a false-positive flag.
Additional information
No response