I reported a vulnerability to them that allowed you to get IP addresses of their paying customers.
OpenAI responded “Not applicable” indicating they don’t think it was a serious issue.
The PoC was very easy to understand and simple to replicate.
Edit: I guess I might as well disclose it here since they don’t consider it an issue. They were/are(?) hot linking logo images of third-party plugins. When you open their plugin store it loads a couple dozen of them instantly. This allows those plugin developers (of which there are many) to track the IP addresses and possibly more of who made these requests. It’s straight forward to become a plugin developer and get included. IP tracking is invisible to the user and OpenAI. A simple fix is to proxy these images and/or cache them on the OpenAI server.