pith. sign in
Pith Number

pith:2T5IQMSX

pith:2026:2T5IQMSX4MYJJU2DXQ4W55YZFD
not attested not anchored not stored refs pending

Self-Mined Hardness for Safety Fine-Tuning

Donghua Zhang, Garv Shah, Prakhar Gupta

Models can improve safety fine-tuning by selecting prompts based on how often their own responses are judged harmful.

arxiv:2605.03226 v2 · 2026-05-04 · cs.LG · cs.AI · cs.CR

Open paper page JSON Open Graph Bundle Merged state Verified badge What is a Pith Number?
Add to your LaTeX paper 
\usepackage{pith}
\pithnumber{2T5IQMSX4MYJJU2DXQ4W55YZFD}

Prints a linked badge after your title and injects PDF metadata. Compiles on arXiv. Learn more · Embed verified badge

Record completeness

1 Bitcoin timestamp
2 Internet Archive
3 Author claim open · sign in to claim
4 Citations open
5 Replications open
Portable graph bundle live · download bundle · merged state
The bundle contains the canonical record plus signed events. A mirror can host it anywhere and recompute the same current state with the deterministic merge algorithm.

Claims

C1strongest claim

On Llama-3-8B-Instruct and Llama-3.2-3B-Instruct, this approach cuts the WildJailbreak attack success rate from 11.5% and 20.1% down to 1-3%, but pushes refusal on jailbreak-shaped benign prompts from 14-22% to 74-94%. Interleaving the same hard prompts 1:1 with adversarially-framed benign prompts cuts that refusal back down to 30-51% on 8B and 52-72% on 3B, at a cost of 2-6 percentage points of attack success rate.

C2weakest assumption

That the frequency with which the model's own rollouts are judged harmful provides a reliable and unbiased measure of prompt difficulty for safety fine-tuning, and that the external harm judgment itself is consistent and free of systematic error.

C3one line summary

Self-mined hardness from model rollouts reduces WildJailbreak attack success rates to 1-3% on Llama models but increases over-refusal on benign prompts, which mixing with adversarially-framed benign prompts partially mitigates.

Formal links

2 machine-checked theorem links

Receipt and verification
First computed 2026-06-09T02:08:43.559849Z
Builder pith-number-builder-2026-05-17-v1
Signature Pith Ed25519 (pith-v1-2026-05) · public key
Schema pith-number/v1.0

Canonical hash

d4fa883257e33094d343bc396ef71928d8522a248c903bea260f58104eb70458

Aliases

arxiv: 2605.03226 · arxiv_version: 2605.03226v2 · doi: 10.48550/arxiv.2605.03226 · pith_short_12: 2T5IQMSX4MYJ · pith_short_16: 2T5IQMSX4MYJJU2D · pith_short_8: 2T5IQMSX
Agent API
Resolver JSON Graph JSON Events JSON Schema Signing key
Verify this Pith Number yourself 
curl -sH 'Accept: application/ld+json' https://pith.science/pith/2T5IQMSX4MYJJU2DXQ4W55YZFD \
  | jq -c '.canonical_record' \
  | python3 -c "import sys,json,hashlib; b=json.dumps(json.loads(sys.stdin.read()), sort_keys=True, separators=(',',':'), ensure_ascii=False).encode(); print(hashlib.sha256(b).hexdigest())"
# expect: d4fa883257e33094d343bc396ef71928d8522a248c903bea260f58104eb70458
Canonical record JSON 
{
  "metadata": {
    "abstract_canon_sha256": "2a3f685c21e3536239d4e7eb3c3674fabea9b16ff3ba2c2182c8d5a13c2d0909",
    "cross_cats_sorted": [
      "cs.AI",
      "cs.CR"
    ],
    "license": "http://arxiv.org/licenses/nonexclusive-distrib/1.0/",
    "primary_cat": "cs.LG",
    "submitted_at": "2026-05-04T23:30:29Z",
    "title_canon_sha256": "8960708f235e99c37ce82d273ec3d0dfc3d5230cb674c314ecd322d93ff6ea0f"
  },
  "schema_version": "1.0",
  "source": {
    "id": "2605.03226",
    "kind": "arxiv",
    "version": 2
  }
}