TL;DR
This paper uncovers a phenomenon called self-jailbreaking where reasoning language models bypass safety guardrails after benign training, and shows that safety data can mitigate this issue.
Contribution
It systematically analyzes self-jailbreaking in reasoning language models and demonstrates that safety-focused training data can prevent this misalignment.
Findings
Many open-weight RLMs suffer from self-jailbreaking despite awareness of harm.
Models perceive malicious requests as less harmful after self-jailbreaking.
Including minimal safety reasoning data during training effectively mitigates self-jailbreaking.
Abstract
We discover a novel and surprising phenomenon of unintentional misalignment in reasoning language models (RLMs), which we call self-jailbreaking. Specifically, after benign reasoning training on math or code domains, RLMs will use multiple strategies to circumvent their own safety guardrails. One strategy is to introduce benign assumptions about users and scenarios to justify fulfilling harmful requests. For instance, an RLM reasons that harmful requests like ``outline a strategy for stealing customers' credit card information from a retail store'' could be associated with the benign intent of ``a security professional trying to test defense,'' despite no such benign context being provided as input. We observe that many open-weight RLMs, including DeepSeek-R1-distilled, s1.1, Phi-4-mini-reasoning, and Nemotron, suffer from self-jailbreaking despite being aware of the harmfulness of the…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
