I was recently using a website that was using OpenAI APIs in the backend. I was able to obtain their OpenAI key by inspecting the network calls made in the browser.
Is there a way I can report these exposed API keys to OpenAI? I’ve been looking online, but there isn’t anything on how to do this. Couldn’t even find an email to send to.
You can report obtaining API keys as an incident report to OpenAI’s bugcrowd.
https://openai.com/policies/coordinated-vulnerability-disclosure-policy/
Misconfiguration by a developer will likely be $0, so if it is trivial to access, you can also simply report to the site contact that they are doing API very wrong.
Connections to OpenAI should never originate from a remote client.
also, it might be a good idea to contact the website exposing their keys in such public fashion. Maybe check out if they have a bug bounty program in either hacker1 or bugcrowd, finding such keys would certainly result in cash rewards