Slang Bypass: Benchmarking Alignment Failures in Mexican Regional Spanish

Suny

The project aimed to answer this research question: "Does Dialect Break Safety? Measuring Jailbreak Rates for Mexican Slang vs Standard Spanish"

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

Reproducibility: No Seed Control

The repository's READ.ME exposes only --target, --technique, --limit, and --dry-run — there is no --seed flag and no documented temperature setting for any of the three LLM calls (attacker, target, judge). The paper claims the benchmark is reproducible, but an independent team cannot replicate the reported ASR figures under these conditions. Pinning temperature and exposing a seed parameter are the minimum fixes needed.

Statistical Validity

20 vs 6 jailbreaks out of 300 attempts each is a small absolute count. The paper reports no confidence intervals, no Fisher's exact test, and no p-value, so it is unclear whether the 3.3× relative risk clears statistical significance. A two-proportion z-test would take minutes to run and should be included.

Este proyecto aborda un problema relevante para la seguridad de la IA: los filtros de seguridad pueden comportarse de manera distinta cuando una intención dañina se expresa en lenguaje informal o regional, en lugar de español neutro o estándar. Su principal fortaleza está en el diseño comparativo: evaluar el mismo intento dañino en jerga mexicana y en español neutro permite observar de manera clara si el registro lingüístico genera una diferencia en la tasa de éxito del ataque.

El hallazgo es valioso porque muestra que el lenguaje coloquial puede convertirse en un punto ciego para los sistemas de seguridad. El proyecto está bien presentado: la pregunta de investigación es clara, el flujo del benchmark se entiende y el resultado principal se comunica de forma directa. Lo más importante no es decir que la jerga sea peligrosa en sí misma, sino mostrar algo más de fondo: como los filtros de seguridad se entrenan principalmente con lenguaje formal, pueden no reconocer el daño cuando este viene expresado en la forma real en que la gente habla en su día a día.

Vale la pena, eso sí, situar el aporte frente a lo que ya existe. La idea de fondo —que las variaciones lingüísticas, el registro informal o el cambio entre idiomas pueden aumentar la efectividad de ciertos ataques— ya ha sido explorada en investigaciones recientes, incluyendo trabajos cercanos sobre español mexicano y de mayor escala. Esto no le quita valor al ejercicio, pero el proyecto ganaría mucho si explicara con precisión en qué se diferencia de esos trabajos y cuál es su contribución propia, que parece estar más en el contraste pareado entre jerga y español neutro y en su métrica de naturalidad que en el mecanismo en sí.

La principal oportunidad de mejora está en la validación. La diferencia observada es prometedora, pero la evaluación tiene limitaciones importantes: la muestra se redujo frente al plan inicial, las corridas de jerga y español neutro no fueron completamente intercaladas, la evaluación dependió de un juez automático sin validación humana y no se reportan intervalos de confianza ni pruebas estadísticas. Una siguiente versión sería más sólida con muestras pareadas más amplias, revisión humana de una parte de los resultados, estimaciones de incertidumbre y pruebas en más modelos y técnicas de ataque.

Desde la perspectiva de gobernanza, el hallazgo del proyecto abre una pregunta de equidad que vale la pena subrayar. Si, como muestran sus resultados, los ataques tienen más éxito cuando se formulan en jerga que en español neutro, eso significa que el filtro protege mejor a quien escribe de manera formal y deja más expuesto a quien escribe como habla la gente en la calle. Visto así, la protección no llega por igual a todos los usuarios. Por eso sería muy valioso que, en futuras versiones, este tipo de prueba se use como un paso previo antes de adoptar o liberar un modelo en América Latina: revisar cómo responde el sistema al habla real de una región, para ver dónde queda gente desprotegida. Así, el ejercicio no serviría solo para buscar fallas mediante ataques simulados, sino como una herramienta para verificar, antes de poner un modelo en uso, si protege por igual a quienes no se expresan en registro formal.

Cite this work

@misc {

title={

(HckPrj) Slang Bypass: Benchmarking Alignment Failures in Mexican Regional Spanish

},

author={

Suny

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.