TRUST-VLM: Thorough Red-Teaming for Uncovering Safety Threats in Vision-Language Models

Thanks for your constructive feedback and suggestions.

Q1: Comparison with automatic red-teaming methods like HADES.

R1: Thank you for your thoughtful suggestion. We have conducted comparisons with both HADES and another recent jailbreak-based method. Besides, we also conducted comparisons with the SOTA red-teaming method, Arondight. Due to space constraints, we kindly refer you to our detailed responses to Reviewer iB5W’s Q2 and Q3, where we analyze these methods and contrast their performance with our TRUST-VLM approach.

Q2: Reliance on human-designed prompts and categories.

R2: In this paper, our primary objective is to investigate whether we can effectively leverage the inherent capabilities of LLMs for red-teaming without relying on extensive data collection or computational resources. To this end, we employ demonstrations and iterative feedback mechanisms, enabling the LLM to autonomously generate diverse and effective adversarial test cases. This approach offers flexibility across models of varying modalities and architectures. Furthermore, recognizing that model developers might prioritize different safety aspects, our framework inherently allows easy adjustment and targeted exploration of various safety domains. Our experimental results also demonstrate that TRUST-VLM achieves strong performance across multiple models, diverse harmful categories, and varying generation settings, underscoring the general applicability and robustness of our auto red-teaming approach. We will explicitly clarify these advantages and generalizability of our auto red-teaming framework in our revision.

Q3: Practical recommendations for reinforcing VLMs insufficiently discussed.

R3: We agree that discussion of defensive strategies enhances the practical impact of our research. Specifically, we provide two possible practical defensive approaches based on the adversarial test cases (both image and text prompts) discovered by our TRUST-VLM method:

1. Safety Alignment via Fine-tuning: We can utilize the harmful test cases identified by our red-teaming approach to fine-tune VLMs, explicitly aligning harmful inputs with safe or prohibited responses. This method mirrors standard industry practices for model safety alignment, serving as a “safety patch” that effectively mitigates discovered vulnerabilities.
2. Neuron Masking for Model Purification: Inspired by the method proposed in [1], another viable defensive strategy involves examining neuron activations triggered by harmful prompts. Using adversarial inputs (image and text prompts) identified by TRUST-VLM, model owners can pinpoint neurons responsible for undesirable behaviors and subsequently mask or remove these neurons to purify and strengthen the robustness of the model. From the above defensive strategies, it is evident that employing advanced red-teaming methods to uncover diverse vulnerabilities is the key to enhance the effectiveness and robustness of model protection. We will integrate these possible defensive approaches into our revision.

Q4:Essential References Not Discussed

R4:Thank you for your valuable suggestion. Our paper primarily focuses on red-teaming as a systematic method for vulnerability discovery, rather than on jailbreak-style adversarial attacks. As such, we selectively discussed a few jailbreak-related works in the current version. We acknowledge that additional relevant works—such as those by Dong et al., Gong et al., and Zhang et al.—can further enrich the related work section. We will include these works in our revision to provide a more comprehensive overview of existing adversarial and red-teaming approaches for VLMs.

---

[1] Huang et al., Antidote: Post-fine-tuning Safety Alignment for Large Language Models against Harmful Fine-tuning.

Thanks for your careful review and thoughtful comments.

Q1: Distinction from existing adversarial methods.

R1: We apologize for any confusion caused. Our red-teaming method differs significantly from adversarial attacks such as jailbreak. As detailed in Related Works (Section 2.3), the primary objective of red-teaming is to systematically explore and uncover a broader and more diverse set of vulnerabilities in VLMs. Red-teaming covers a wide range of inputs, including deliberate adversarial attacks (such as jailbreak), as well as unintentional harmful prompts from regular users—essentially any input that could potentially lead to harmful outputs. In contrast, adversarial attacks like jailbreak focus primarily on maximizing the attack success rate by generating specific, malicious prompts, inherently limiting their capacity to discover diverse model vulnerabilities.

We believe that adversarial attacks such as jailbreak complement our red-teaming approach and can together help model developers better assess the safety of their models. As outlined in our response to the usage of red-teaming in safety defense, our TRUST-VLM method provides actionable adversarial test cases that directly support developers in refining and aligning their VLMs, further highlighting the practical value and distinct advantage of our red-teaming approach.

Q2: Comparison with SOTA jailbreak attacks.

R2: Thank you for pointing this out. To further illustrate the distinction between our red-teaming framework and traditional jailbreak-style attacks, we briefly compare our method with two recent SOTA jailbreak approaches below:

• Qi et al. [1] adapt adversarial attacks from the computer vision domain to VLMs by applying PGD-based perturbations to clean images. The attack input is structured as {image: random clean image + perturbation, text: random harmful prompt}, with the goal of inducing harmful responses. However, since there is no meaningful correlation between images and texts, and the attack only perturbs the image, the success rate remains very low, as shown in our experimental comparison below. Moreover, the image inputs are fixed and lack diversity.
• Li et al. [2] improve the attack success rate by jointly optimizing both the image and text inputs. While this boosts effectiveness, the resulting test cases tend to be extremely toxic and can easily be filtered out by safety filters—undermining their utility in real-world red-teaming.

In contrast, our TRUST-VLM framework generates realistic, diverse, and semantically aligned image-text test cases, making it more suitable for comprehensive safety evaluation and alignment.

Q3: Limited baseline comparison due to Arondight exclusion.

R3: We fully agree that Arondight is highly relevant and would serve as a valuable baseline for comparison. In fact, we recognized its importance during the initial stages of our experiments and made efforts to include it. Unfortunately, since the authors have not released the official code and the prompts used in their paper, we are unable to reproduce their method. To provide a preliminary comparison in the meantime, we have directly compared the reported Arondight results under a shared experimental setting—using Qwen-VL as the target model and three overlapping harmful categories: Illegal Activity, Adult Content, and Violent Content. Moreover, the metrics used in both works are also the same: fault detection rate and the prompt diversity. As shown in the table, our method achieves superior performance in both fault detection rate and prompt diversity.

Q4: Limited discussion on defensive methods.

R4: Due to space constraints, we kindly refer you to our detailed responses to Reviewer YghG’s Q3.

---

[1] Qi et al. Visual Adversarial Examples Jailbreak Aligned Large Language Models

[2] Li et al. Images are Achilles' Heel of Alignment: Exploiting Visual Vulnerabilities for Jailbreaking Multimodal Large Language Models

We appreciate your detailed feedback and supportive comments.

Q1: Restricting the number of ICL examples / Tips would be a good test of the refinement process.

R1: Thank you for the insightful suggestion. We conducted additional experiments as per your recommendation. As shown in the table below, when the number of ICL examples is reduced from 8 (our default) to 1, the Fault Detection Rate slightly increases. However, this comes at the cost of reduced diversity, weaker semantic alignment, and higher toxicity in the generated test cases.

This trade-off is expected: using a larger number of ICL examples guides the red-teaming LLM to explore a broader and more diverse set of vulnerabilities. In contrast, with only one ICL example, the model tends to focus on more direct adversarial behaviors (e.g., jailbreak-style attacks), leading to higher attack success but lower diversity and increased toxicity.

We will include these results and analysis in our revision to highlight the importance of the number of ICL demonstrations in balancing red-teaming effectiveness and safety.

Moreover, we conducted an ablation study by reducing the number of tips from the default setting of 2 to 1. The table below shows that with only one tip, the FDR remains high (96%)—even slightly higher than the default setting. However, similar to the findings with reduced ICL examples, this comes at the cost of reduced diversity and increased toxicity. Thus, more tips helps guide the LLM toward generating more diverse and safer adversarial test cases, rather than concentrating on a narrow class of high-toxicity attacks. It reinforces the importance of multi-faceted guidance (via tips and ICL examples) in supporting controllable and diverse red-teaming generation.

Q2: Varying temperature settings in target VLMs.

R2: Thank you for the suggestion. In our default setting, we set do_sample=False for reproducibility (noting a typo in the appendix where it was incorrectly written as true). Following your advice, we varied the VLM temperature to 0.5 and 1.5. As shown below, our method achieved even higher FDRs, confirming its robustness. This aligns with findings from [1], which report that higher temperature increases vulnerability. We will add this result and correct the appendix typo in the revised version.

Q3: Finetuning LLM for red-teaming specifically.

R3: We appreciate this insightful suggestion. Indeed, fine-tuning language models specifically for red-teaming can be an effective approach, as demonstrated in prior works such as [2]. In our paper, the primary focus is exploring whether demonstrations and iterative feedback can effectively guide an LLM to autonomously generate high-quality adversarial test cases without the need for extensive training data collection or substantial computational resources. Nonetheless, fine-tuning-based methods are complementary to our approach. A promising future direction would be to first fine-tune a red-teaming model using collected data, and subsequently apply our demonstration- and feedback-based methodology to further enhance red-teaming performance. We will clarify this complementary relationship and highlight potential integration in our future work discussions. Thanks again for this insightful suggestion.

Q4: Mitigation methods for red-teaming attacks.

R4: We agree defensive strategies enhance the practical impact of our research. Due to space constraints, we kindly refer you to our detailed responses to Reviewer YghG’s Q3.

---

[1] Huang et al., Catastrophic Jailbreak of Open-source LLMs via Exploiting Generation.

[2] Li et al., ART: Automatic Red-teaming for Text-to-Image Models to Protect Benign Users.

Thank you very much for your valuable feedback and insightful suggestions.

Q1: Limited novelty of LLM-based automation.

R1: We acknowledge that various red-teaming methods have emerged recently, targeting different models, such as LLMs [1] and text-to-image models [2]. However, these existing methods cannot be directly applied to Vision-Language Models (VLMs), as VLMs inherently operate with two modalities (image and text) that exhibit complex inter-modal correlations (as further illustrated in our response to Q2 below). To the best of our knowledge, the only existing red-teaming method specifically designed for VLMs is Arondight. However, Arondight requires reinforcement learning for training, whereas our TRUST-VLM leverages in-context learning, offering a significantly more lightweight yet effective solution. Experimental results demonstrate that TRUST-VLM achieves superior performance in terms of both attack success rate and diversity of discovered vulnerabilities. Due to space constraints, we kindly refer the reviewer to our response to Reviewer iB5W’s Q3 for details of this comparison.

We will clearly emphasize these distinctions and explicitly highlight the advantages of our lightweight ICL-based feedback mechanism in comparison to existing RL-based methods in our revision.

---

Q2: Unclear contribution of images to jailbreaking success.

R2: Thank you for highlighting this important point. Following your suggestion, we conducted additional experiments to assess the sensitivity of our method to the input image. Specifically, we combined an optimized textual prompt with two types of images: (1) a random image, and (2) an image from a different optimization round but within the same harmful activity category. The results are as follows:

• Random image → 0% fault detection rate
• Different-round image (same activity) → 24% fault detection rate

These findings support two conclusions:

• Image optimization is crucial—it enhances the harmfulness of the input beyond a generic or random image.
• Image-text alignment matters—even within the same activity, mismatched images and prompts reduce attack effectiveness. This validates our design choice to jointly optimize both modalities in our red-teaming framework.

---

Q3: Missing comparisons with recent state-of-the-art methods.

R3: We appreciate the reviewer’s suggestion. In fact, our experiments are conducted on four open-source VLMs and one commercial model. The results consistently demonstrate that our TRUST-VLM framework achieves similarly strong performance across these diverse model architectures, supporting its generalizability.

Additionally, we have compared our method with the state-of-the-art red-teaming method Arondight using the Qwen-VL model as the target. Due to space constraints, we kindly refer the reviewer to our response to Reviewer iB5W’s Q3 for details of this comparison. We will include these cross-model results and further clarify them in the revised version.

---

Q4: Insufficient test cases and Lack of evaluation details.

R4: We agree with the importance of thorough experimentation. Due to the fact that the baseline method (RedTeaming VLM) provides only 200 jailbreak test cases, we maintained consistency by generating 200 test cases using our TRUST-VLM method for fair comparison.

Moreover, our red-teaming evaluation spans four open-source VLMs, one commercial model and six distinct harmful categories. For each model, we generate 200 success test cases (1k test cases in total). The metrics reported in our paper represent the average performance across these categories and models. Detailed category-wise performance is also provided in the appendix for transparency. We agree that multiple evaluation runs per category per model can offer more reliable and stable results. Currently, we are in the process of generating additional adversarial test cases and conducting further experiments to compute standard deviations and variance measures, thus assessing stability comprehensively. We will share these extended results with you as soon as possible in our next response.