The Hidden Risks of Large Reasoning Models: A Safety Assessment of R1

TL;DR

This paper evaluates the safety and robustness of large reasoning models like R1, revealing significant safety gaps, vulnerabilities to adversarial attacks, and safety concerns linked to their reasoning processes.

Contribution

It provides a comprehensive safety assessment of R1 models, highlighting safety gaps, vulnerabilities, and the safety implications of their reasoning capabilities.

Findings

Open-source LRMs have larger safety gaps than o3-mini.

Stronger reasoning models pose higher safety risks.

Safety thinking often fails under adversarial attacks.

Abstract

The rapid development of large reasoning models (LRMs), such as OpenAI-o3 and DeepSeek-R1, has led to significant improvements in complex reasoning over non-reasoning large language models~(LLMs). However, their enhanced capabilities, combined with the open-source access of models like DeepSeek-R1, raise serious safety concerns, particularly regarding their potential for misuse. In this work, we present a comprehensive safety assessment of these reasoning models, leveraging established safety benchmarks to evaluate their compliance with safety regulations. Furthermore, we investigate their susceptibility to adversarial attacks, such as jailbreaking and prompt injection, to assess their robustness in real-world applications. Through our multi-faceted analysis, we uncover four key findings: (1) There is a significant safety gap between the open-source reasoning models and the o3-mini model, on both safety benchmark and attack, suggesting more safety effort on open LRMs is needed. (2) The stronger the model's reasoning ability, the greater the potential harm it may cause when answering unsafe questions. (3) Safety thinking emerges in the reasoning process of LRMs, but fails frequently against adversarial attacks. (4) The thinking process in R1 models poses greater safety concerns than their final answers. Our study provides insights into the security implications of reasoning models and highlights the need for further advancements in R1 models' safety to close the gap.