Gemma 4 jailbreak: same attack works instantly

A security researcher just proved that Google's brand-new Gemma 4 model falls to the exact same jailbreak that broke Gemma 3—without changing a single word. And that's not a bug. It's a feature of how the entire industry is broken.

theAIcatchup 6 min read
The Gemma 4 Zero-Shot Attack Problem: Why AI Safety Theater Fails on Day One — theAIcatchup

Key Takeaways

  • Identical jailbreak method used on Gemma 3 worked flawlessly on Gemma 4 without modification—proving zero-shot attack transfer across new model versions
  • Responsible disclosure is broken: researchers get flagged by safety filters while attempting to document vulnerabilities through proper channels
  • Safety theater, not security: the industry optimizes for PR and headlines rather than building genuine defense mechanisms woven into model training
  • The problem is systemic, not unique to Google—zero-shot attacks transfer because the underlying vulnerabilities exist across similar architectures industry-wide

What if the biggest AI safety problem isn’t what the models know—but that we’re all pretending the problem doesn’t exist?

That’s the uncomfortable reality exposed by a recent security test of Gemma 4, Google’s latest open-source language model. Within hours of its release, a researcher demonstrated that the exact same attack method used on Gemma 3 worked flawlessly on Gemma 4. No tweaking. No adaptation. Just copy-paste the system prompt, add fewer than ten words, and watch the safety guardrails crumble.

This isn’t a story about Gemma being uniquely bad. It’s a story about an entire industry caught in a cycle of disclosure denial, filter theater, and the terrifying predictability of large language models.

Why Zero-Shot Transfer Attacks Are So Damning

Let’s be precise about what happened here. The researcher used a specific jailbreak technique on Gemma 3 months ago. That technique relied on a particular system prompt structure and minimal user input to bypass the model’s safety training. When Gemma 4 shipped, the researcher ran the identical attack—same prompt, same structure, same strategy—and it worked immediately.

That’s zero-shot transfer. Not a new attack. Not even a refined one. The old playbook, unchanged, defeated a new model on day one.

“This flaw exists in many models. It’s not just Google. It’s everyone.”

This matters because it reveals something uncomfortable: the safety mechanisms these companies are building operate at the surface level. They’re like locks that only stop people trying the obvious keys. A researcher with the original attack formula can walk right through.

But here’s where it gets worse. The researcher attempted to document this finding responsibly. They reached out to Claude (via Anthropic) asking for help with redaction and curation of sensitive material. The response? They got kicked out of Claude Opus. Switched to Claude Sonnet 4.6, same problem. Even with self-censorship applied, the system still flagged them.

The Responsible Disclosure Problem Nobody Wants to Solve

This is the trap. Try to report a vulnerability quietly, and you’ll find that most AI companies—despite their public commitment to safety—have filters so indiscriminate they can’t tell the difference between “legitimate researcher documenting a redacted finding” and “bad actor requesting harmful content.”

One of the Claude variants eventually acknowledged the paradox directly: researchers doing proper disclosure work are getting caught by the same safety nets designed to protect the public. The irony is suffocating.

The core issue? Mass-media terror. Every major AI lab is terrified of becoming the company that made the headline. A few high-profile incidents where AI models spouted dangerous content, and suddenly the entire industry went risk-averse. Not security-conscious. Risk-averse. That’s different.

When you’re that afraid of a headline, you don’t invest in genuine security research partnerships. You install theater. Shiny filters that catch obvious attempts. Safety features that look good in a blog post. And when researchers try to work within responsible disclosure channels, they hit the same filters meant for the general public. It’s a system designed to fail.

Why This Matters Beyond Gemma 4

The Gemma 4 attack transfer problem exposes a fundamental truth: large language models, as they’re currently trained, have brittle safety boundaries. The defenses aren’t deeply woven into how the model reasons. They’re applied as a thin layer on top—almost like guard rails you can vault around if you know the technique.

And once you know the technique? It transfers. Across models. Across versions. Across companies. Because the underlying architecture hasn’t fundamentally changed, and neither have the ways to circumvent it.

Consider how this plays out in the real world. A vulnerability discovered in one model becomes a vulnerability in all models with similar training pipelines. Responsible researchers who find these flaws face a choice: publish publicly and risk enabling bad actors, or report quietly and get flagged by the very companies they’re trying to help. Meanwhile, the actual bad actors? They’re probably working outside these channels entirely, testing jailbreaks on low-cost inference APIs without anyone knowing.

The Castle is in Another Castle

The researcher ends on a note of exhaustion: “Not me. I’ll duck & cover like everyone else. The scapegoat is also in another castle.”

There’s real frustration there. This person has documented a serious problem using a responsible methodology. They’ve shown that the problem is industry-wide, not isolated. They’ve tried multiple paths to proper disclosure and been stonewalled by safety filters that don’t understand context. And they’re now in a position where the only choices are: go public and feed the attack to the internet, stay quiet and let the vulnerability persist, or give up entirely.

Meanwhile, the companies with the biggest vulnerabilities stay under the radar because they’re big enough, PR-savvy enough, or just lucky enough to not be the flavor of the week for journalists. The industry collectively avoids building real solutions because a real solution would require admitting how brittle the current approach is.

What This Actually Means

Gemma 4 didn’t fail because of sloppy engineering. It failed because the entire industry is optimizing for the appearance of safety, not actual safety. Responsibly disclosed vulnerabilities get their researchers kicked out of systems. Irresponsibly disclosed ones might eventually force change, but only after damage is done. And genuine, deep security research—the kind that takes months and requires access to model internals—is being replaced by surface-level prompt engineering that anyone with five minutes can replicate.

The zero-shot transfer attack working on Gemma 4 isn’t a bug report. It’s a symptom. And until the industry stops choosing theater over investment, the symptoms are only going to get louder.

🧬 Related Insights

Frequently Asked Questions

What is a zero-shot attack transfer on AI models? It’s when a jailbreak technique that works on one model works immediately on another model without any modification. It suggests the underlying safety mechanisms are superficial rather than fundamental—the vulnerability exists across the architecture, not in the specific implementation.

Can I try this attack on Gemma 4 myself? Technically yes, but the researcher has intentionally redacted the specific method because responsible disclosure matters. The broader point—that identical attacks transfer across models—is documented and verifiable by security researchers with proper frameworks.

Why don’t AI companies just fix this? Because the real fix would require rethinking how safety is embedded in model training from the ground up, not slapped on as a filter. That’s expensive, time-consuming, and requires admitting current approaches are fundamentally flawed. It’s easier to upgrade filters every few months and hope the next headline never comes.

Aisha Patel
Written by
Aisha Patel

Former ML engineer turned writer. Covers computer vision and robotics with a practitioner perspective.

Frequently asked questions

What is a zero-shot attack transfer on AI models?
It's when a jailbreak technique that works on one model works immediately on another model without any modification. It suggests the underlying safety mechanisms are superficial rather than fundamental—the vulnerability exists across the architecture, not in the specific implementation.
Can I try this attack on Gemma 4 myself?
Technically yes, but the researcher has intentionally redacted the specific method because responsible disclosure matters. The broader point—that identical attacks transfer across models—is documented and verifiable by security researchers with proper frameworks.
Why don't AI companies just fix this?
Because the real fix would require rethinking how safety is embedded in model training from the ground up, not slapped on as a filter. That's expensive, time-consuming, and requires admitting current approaches are fundamentally flawed. It's easier to upgrade filters every few months and hope the next headline never comes.
#ai-jailbreak #gemma-4-security #responsible-disclosure

Worth sharing?

Get the best AI stories of the week in your inbox — no noise, no spam.

Originally reported by Dev.to

Related Stories

📬

Stay in the loop

The week's most important stories from theAIcatchup, delivered once a week.

No spam. Unsubscribe any time.