Speak Easy: Eliciting Harmful Jailbreaks from LLMs with Simple Interactions

Thank you for your encouraging feedback and for recognizing the significance of our contributions. We are grateful that you found our work clearly motivated, supported by extensive experimental results, and offers a critical new perspective on jailbreak attacks. This aligns with our primary goal of grounding jailbreak research in realistic, user-facing scenarios—specifically, examining how simple interactions can lead to harmful outputs that are both actionable and informative.

While no specific revisions were suggested, we will continue to refine the paper with additional experiments and improved clarity. Please do not hesitate to let us know if there are any other ways we can strengthen our work. Thank you again for your evaluation and support!

Thank you for acknowledging the engineering strength of our work and for your thoughtful suggestions! We appreciate your willingness to reconsider your score based on a clearer explanation of our contributions.

1. Framing of contributions

The paper has more engineering contribution than jailbreak science.

Our primary motivation is to demonstrate that average users—without technical expertise—can leverage simple, natural interactions with LLMs to elicit harmful outputs. This reveals a critical yet underexplored vulnerability in safety-aligned LLMs. To reflect realistic usage scenarios, we designed Speak Easy as an engineering pipeline that emulates common multistep, multilingual interactions and shows the effectiveness of jailbreaking through everyday use.

2. Clarifying the role of HarmScore

HarmScore is pretty calibrated with ASR … It’s better to frame HarmScore as helpful to provide useful optimization signal to search for jailbreaks.

Thank you for this observation. We designed HarmScore to measure the real-world impact of jailbreak responses from the perspective of non-expert users, specifically on how actionable and informative a response is, which aligns with perceived harmfulness.

We acknowledge that HarmScore is often correlated with ASR, and we agree that some degree of calibration is expected—since successful jailbreaks are more likely to result in harmful outputs. However, HarmScore and ASR serve different purposes: ASR captures whether the model complies with a harmful request, while HarmScore evaluates how useful that response is to a malicious actor.

To further clarify this distinction, we demonstrate that ASR and HarmScore may not be calibrated in certain harm categories. We report the by-category scores of the Harmful and Harassment categories below, where HarmScore aligns better with human judgment in Table 3 in the main paper. Here, the scores are evaluated on jailbreak outputs from GPT-4o using the Direct Request + Speak Easy baseline, on the HarmBench dataset.

There is a divergence between ASR and HarmScore in these categories. While some outputs may not be labeled as successful jailbreaks by ASR, HarmScore indicates that they can still be actionable and informative in inducing harm. We appreciate the reviewer’s suggestion, and since ASR and HarmScore serve different purposes and are not always calibrated, we believe HarmScore provides valuable additional granularity. Therefore, we report both metrics in our experiments to offer a holistic view.

The experiment design to choose actionability and informativeness can just be motivated by examples.

Our initial selection of attributes was indeed inspired by qualitative observations of harmful responses. We opted to conduct a controlled human evaluation to empirically validate our intuition and to ensure rigor in how we identify attributes that matter most for jailbreak harmfulness. We believe that grounding these metrics in human judgment provides added clarity, transparency, and robustness, especially as the field advances toward more interpretable and user-centered safety metrics.

ASR itself is not defined by rubrics so it is not useful to argue HarmScore is better than a general metric. You can directly argue HarmScore is the better way to compute ASR.

We agree and want to clarify that we do not claim HarmScore is a better metric than ASR, but rather that it captures different and complementary aspects of jailbreak evaluation. As demonstrated in Table 3, each metric excels in different categories. This is why we report both HarmScore and ASR throughout the paper to provide a more holistic view of jailbreak efficacy. We will ensure this distinction is made clearer in the revision.

3. Clarifying the contribution of Speak Easy

The improved HarmScore or ASR are mostly due that LLMs are more vulnerable on low-resource languages.

We acknowledge that vulnerabilities in low-resource languages have been previously observed. Our motivation is to show that this vulnerability can be effectively leveraged through simple, realistic interactions. Specifically, our work shows that combining multi-step reasoning with multilingual queries results in significantly more harmful outputs, even in safety-aligned models.

In Section 5.4, we show that multi-step interactions contribute more significantly to increased harmfulness, rather than multilinguality alone. Figure 5 shows that higher-resource languages (e.g., English) are selected more frequently in response selection, suggesting that the gains are not solely driven by low-resource language exploitation.

We hope our responses have addressed your concerns. Please let us know if further clarification is needed. If the issues are resolved, we would be grateful if you could consider raising your score.

Thank you for your detailed review and valuable suggestions! We would like to clarify the experimental details and will ensure these are clearly presented in the revised paper.

1. Refusal string in HarmScore

We use the list of refusal strings from the GCG paper [1] to check whether a response contains any refusal words (L158–160, right column). This serves as an initial filter to decide whether to evaluate actionability and informativeness in HarmScore. Since detecting refusal patterns is not the focus of HarmScore, we adopt this existing list which was previously used in jailbreak evaluations [2].

[1] Zou et al., 2023. Universal and Transferable Adversarial Attacks on Aligned Language Models.
[2] Robey et al., 2023. SmoothLLM: Defending Large Language Models Against Jailbreaking Attacks.

2. Regarding response selection models

The response selector was trained on GPT-4 collected data. What kind of scores were collected?

In training the response selection models, two types of scores were collected:

1. During curating training data: We collect binary labels from GPT-4 on whether a query-response pair is actionable and informative, then construct preference pairs by pairing actionable vs. non-actionable responses (and informative vs. uninformative responses) under the same query.
2. During training: We train a Llama3-8B model using iterative DPO to maximize the log-likelihood margin between preferred and non-preferred responses, and the model outputs a continuous score for each attribute. To mitigate extreme values, we apply a sigmoid function and map scores to the $[0,1]$ interval. The “output scores” mentioned in L254 refers to the raw scores produced by the reward model prior to the sigmoid transformation.

Further details are in L212-214 right column and Appendix B2.

Table 2: the paper does not mention what these numbers are.

The scores are the accuracy in assigning higher scores to the preferred responses (actionable or informative) compared to less preferred ones. The construction of the preference test sets is described in L256-263 left column.

How are the baseline models in Table 2 selected and how are they used in evaluation?

The selected baseline models are trained to produce a scalar score that captures response quality, and we select them due to their strong performance on RewardBench [3] at the time of our experiments. Actionability and informativeness can be viewed as corollaries of quality and hence we use them for off-the-shelf comparison.

[3] Lambert et al., 2024. RewardBench: Evaluating Reward Models for Language Modeling.

3. Implementation details of GCG-T and TAP-T

The paper needs to explain 1) what models were used to generate the attacks, 2) TAP is applicable to all models evaluated. Why did the paper use the Transfer variant of it?

We describe each method in Appendix C and will ensure that these details are more clearly communicated in the revised paper.

• For GCG-T, we use the Vicuna-7B and Vicuna-13B models, which is the standard setup in the GCG paper.

• For TAP-T, we use GPT-4o as both judge and target and Mixtral 8x7B as the attack generator. We adopt the transfer variant because combining TAP with Speak Easy could lead to excessive computational requirements (up to 10×10×4×3 queries per harmful query). Additionally, according to HarmBench, TAP-T outperforms TAP on GPT-4 and hence is a more suitable choice for comparison.

4. Performance comparison of Speak Easy and TAP

While we agree that TAP outperforms Speak Easy on ASR, the main objective of our paper is not to introduce Speak Easy as a method that displaces existing methods. Instead, we show that simply employing multi-step and multilingual interactions can substantially increase harmfulness, both in a standalone setting and when combined with existing methods. Prompt rewriting strategies such as TAP may also be accessible to typical users, but integrating Speak Easy with TAP increases ASR and HarmScore to a greater extent. Additionally, as shown in Figure 4 and Table 10, Speak Easy yields higher HarmScore than TAP-T, likely because TAP responses often lean toward creative storytelling and lack actionable, informative content.

5. HarmScore underperforms in cybercrime category

We conduct an additional experiment to label queries in the cybercrime and misinformation categories (where HarmScore underperforms) in Table 3, with chemical category as a control. We instruct GPT-4o to label each query as either a “content generation” or “actionable guideline” request:

• Misinformation: 100% content generation
• Cybercrime: 70% content generation
• Chemical: 100% actionable guidelines

This mismatch supports our hypothesis that HarmScore struggles to assess response actionability for content generation questions in the cybercrime and misinformation categories.

We hope these clarifications address your concerns and would appreciate your consideration in raising your score.

Thank you for your detailed feedback and for acknowledging the significance of our work and its robust experimental results! We appreciate the opportunity to expand on our language evaluation and jailbreak experiments.

1. Reporting ASR and HarmScore for individual languages

Report ASR and HARMSCORE for each language separately to identify which languages are most effective for jailbreaking.

We agree that reporting ASR and HarmScore for individual languages would offer valuable insight into language-specific vulnerabilities. In the main paper, we focused on aggregate results because Speak Easy operates over multilingual, multistep interactions, and the final response often comprises content from multiple languages, selected based on informativeness and actionability.

To approximate the contribution of individual languages, we reported results under the “Fixed Language” setting in Appendix C, Table 11, where responses to all subqueries were selected from a single fixed language. We additionally report ASR and HarmScore for each language in this setting below:

High-resource languages demonstrate greater vulnerabilities, as Chinese has the highest ASR and English has the highest HarmScore. However, using any single language consistently underperforms compared to Speak Easy’s multilingual response selection. This supports our core claim that multilingual querying, when combined with multi-step decomposition, is a key factor in enabling stronger jailbreaks.

2. Additional Experiments to Demonstrate the Generalizability of Speak Easy

The claims are well-supported by quantitative results and human evaluations, though the generalizability to unseen attack techniques could be explored further.

We appreciate your suggestion to further evaluate the generalizability of Speak Easy to unseen attack strategies. In the main paper, we integrate Speak Easy with two attack paradigms, adversarial suffix optimization (GCG-T) and prompt-based optimization (TAP-T). To extend our analysis, we evaluate Speak Easy with a recent, third class of jailbreak that exploits the generalization gap in safety training by using past-tense phrasing [1]. We first run the baseline Past Tense Attack using GPT-4o on all four benchmarks, with a single attempt per query. To integrate Speak Easy, we use GPT-4o to reformulate the malicious query into past tense, and then apply the standard Speak Easy pipeline.

The table below presents our results. Combining Speak Easy with the Past Tense Attack consistently improves both ASR and HarmScore across all benchmarks, compared to using the attack alone.

[1] Andriushchenko and Flammarion, 2024. Does Refusal Training in LLMs Generalize to the Past Tense?

Please let us know if further clarification or results would be helpful. If accepted, will we use the additional page to incorporate the additional experimental results and analysis. If you find our clarifications satisfactory, we would be grateful if you would consider raising your score. Thank you again for your thoughtful feedback!