Jailbreak attacks cause large language models (LLMs) to generate harmful, unethical, or otherwise unwanted content. Evaluating these attacks presents a number of challenges, and the current landscape of benchmarks and evaluation techniques is fragmented. First, assessing whether LLM responses are indeed harmful requires open-ended evaluations which are not yet standardized. Second, existing works compute attacker costs and success rates in incomparable ways. Third, some works lack reproducibility as they withhold adversarial prompts or code, and rely on changing proprietary APIs for evaluation. Consequently, navigating the current literature and tracking progress can be challenging.

To address this, we introduce JailbreakBench, a centralized benchmark with the following components:

1. Repository of jailbreak artifacts. An evolving dataset of state-of-the-art adversarial prompts at https://github.com/JailbreakBench/artifacts, referred to as jailbreak artifacts, which are explicitly required for submissions to our benchmark to ensure reproducibility.
2. Standardized evaluation framework. Our library at https://github.com/JailbreakBench/jailbreakbench that includes a clearly defined threat model, system prompts, chat templates, and scoring functions.
3. Leaderboard. Our leaderboards here (https://jailbreakbench.github.io/) that track the performance of attacks and defenses for various LLMs.
4. Dataset. A representative dataset named JBB-Behaviors at https://huggingface.co/datasets/JailbreakBench/JBB-Behaviors composed of 100 distinct misuse behaviors (with 55% original examples and the rest sourced from AdvBench and TDC/HarmBench) divided into ten broad categories corresponding to OpenAI's usage policies. Moreover, now it is complemented with 100 benign behaviors that can be used to quickly evaluate overrefusal rates for new models and defenses.