JailbreakQR: Divergent Paradigms in AI and QR Codes
- JailbreakQR is a polysemous term representing distinct research artifacts in LLM safety and QR-code security, including benchmarks, evaluation frameworks, red-teaming pipelines, and physical-layer attacks.
- In the LLM context, it introduces rigorous, decompositional evaluation methods with human-annotated data that achieve high accuracy and substantially reduce false positives compared to earlier proxies.
- In QR-code security, it describes a half-pixel module-splitting attack that leverages controlled camera tilt to alternately decode dual embedded messages with near-perfect reliability.
JailbreakQR is a polysemous term used in 2025 arXiv literature for several distinct research artifacts rather than a single, stable object. In LLM safety, it denotes a human-annotated jailbreak-evaluation benchmark introduced with JADES (Chu et al., 28 Aug 2025), a quantitative jailbreak-evaluation design distilled from the scenario-adaptive SceneJailEval framework (Jiang et al., 8 Aug 2025), and, in one technical summary, a reference to the Jailbreak-R1 automated red-teaming framework (Guo et al., 1 Jun 2025). In QR-code security, the same label denotes the half-pixel module-splitting attack presented in “Dueling QR Codes: The Hyding of Dr. Jeckyl” (Noever et al., 4 Feb 2025). The shared name therefore spans benchmark construction, evaluation methodology, attack generation, and optical barcode exploitation.
1. Terminological scope and disambiguation
A common source of confusion is that “JailbreakQR” does not identify a single benchmark, framework, or attack. The term is used for multiple non-equivalent entities with different goals, data models, and evaluation targets.
| Source | Meaning of “JailbreakQR” | Object type |
|---|---|---|
| JADES (Chu et al., 28 Aug 2025) | a newly introduced benchmark of 400 prompt–response pairs | human-annotated jailbreak benchmark |
| SceneJailEval summary (Jiang et al., 8 Aug 2025) | a quantitative jailbreak-evaluation design | scenario-adaptive evaluation framework plus 14-scenario dataset |
| Jailbreak-R1 summary (Guo et al., 1 Jun 2025) | a reference to the Jailbreak-R1 framework | automated red-teaming training pipeline |
| “Dueling QR Codes” (Noever et al., 4 Feb 2025) | the half-pixel module-splitting attack | angle-dependent dual-message QR code technique |
This suggests that “JailbreakQR” functions more as a reused label than as a settled term of art. In the LLM literature, the label attaches to evaluation and attack-generation systems; in the barcode literature, it refers to a physical-layer attack against ISO/IEC 18004:2015-compliant QR decoding (Noever et al., 4 Feb 2025).
2. JailbreakQR as a human-annotated jailbreak benchmark
In “JADES: A Universal Framework for Jailbreak Assessment via Decompositional Scoring,” JailbreakQR is introduced to address a specific weakness of prior jailbreak benchmarks: they collect open-ended harmful questions without reference answers, so success is judged by crude proxies such as string matches, toxicity flags, or naive holistic LLM judgments (Chu et al., 28 Aug 2025). The stated motivation is that such proxies misinterpret model outputs and inflate success rates. JailbreakQR is therefore positioned as a small but carefully human-annotated benchmark with clear success/failure criteria, intended to anchor automated judges against a gold standard.
The benchmark contains 400 prompt–response pairs sampled from a larger pool of 4,160 instances, derived from 260 harmful questions, 5 attacks, and 4 models (Chu et al., 28 Aug 2025). Each pair receives one of three ordinal labels: failed, partially successful, or successful. Beyond the primary label, the benchmark tracks which jailbreak method produced the response—GCG, DSN, LAA, PAIR, or JailbreakChat—and which target LLM was evaluated: Vicuna, Llama-2, GPT-3.5-Turbo, or GPT-4.
| Label | Count | Percentage |
|---|---|---|
| failed | 145 | 36.25% |
| partially successful | 138 | 34.50% |
| successful | 117 | 29.25% |
The benchmark’s role is explicitly to bridge the gap between expensive manual evaluation and error-prone proxies (Chu et al., 28 Aug 2025). It supports both binary attack success rate measurement and finer-grained ordinal analysis, making it suitable for evaluating whether an automated judge captures partial fulfillment rather than only overt refusal or overt compliance.
3. Annotation protocol, formal scoring, and empirical findings in JADES
The annotation protocol permits either decomposition or holistic labeling. Annotators may decompose the harmful question into sub-questions, mark each as critical or supporting, judge each sub-question as Fulfilled, Partially Fulfilled, or Not Fulfilled, and then aggregate these judgments into failed, partially successful, or successful (Chu et al., 28 Aug 2025). If they choose not to decompose, they label holistically against the original question. Each of the 400 pairs was labeled by three independent annotators; disagreements were resolved by majority vote; Krippendorff’s ordinal was $0.823$, reported as “almost perfect” agreement by Landis & Koch (Chu et al., 28 Aug 2025). For failed and partially successful cases, annotators also wrote free-text explanations.
The JADES framework uses JailbreakQR with a decompositional scoring formalism. A harmful question is broken into weighted sub-questions
The response is split into sentences, irrelevant sentences are removed, and a pairing agent matches relevant sentences to each (Chu et al., 28 Aug 2025). Each sub-answer receives a five-level Likert score
and the overall score is
The binary mapping is and ; the ternary mapping is , $0.823$0, and $0.823$1 (Chu et al., 28 Aug 2025).
Empirically, JADES was evaluated on JailbreakQR against StringMatch, JailbreakRadar, JailbreakBench, HarmBench, and StrongReject, using GPT-4o agents at temperature $0.823$2 (Chu et al., 28 Aug 2025). In the binary setting on 400 pairs, JADES achieved Accuracy $0.823$3, Precision $0.823$4, Recall $0.823$5, and $0.823$6; the best baseline remained below $0.823$7 in Accuracy and below $0.823$8 in Precision and $0.823$9 (Chu et al., 28 Aug 2025). The system incurred only 0 false positives and 1 false negatives, and out-performed prior proxies by at least 2 points in Accuracy. In the ternary setting, overall Accuracy was 3, with per-class 4 of 5 for failed, 6 for partially successful, and 7 for successful, giving Macro-8 (Chu et al., 28 Aug 2025).
The benchmark was also used to re-evaluate five popular attacks on four LLMs. Under binary ASR, previously reported attack success rates were materially reduced; for example, GPT-3.5 + LAA dropped from 9 to 0, Vicuna + DSN from 1 to 2, and Llama-2 + LAA from 3 to 4 (Chu et al., 28 Aug 2025). Under ternary evaluation, most nominal ASR “successes” became partial successes, with 5 for nearly all method–model pairs. The recommended practice is to report ternary labels alongside binary ASR, introduce PSR and 6, prefer analytic or decompositional evaluation over holistic proxies, optionally integrate fact-checking, calibrate sub-question weights for domain transfer, and preserve a human-in-the-loop path for edge-case decomposition errors (Chu et al., 28 Aug 2025).
4. JailbreakQR as a scenario-adaptive quantitative evaluation design
A separate use of the term appears in the consolidated reference derived from “Beyond Uniform Criteria: Scenario-Adaptive Multi-Dimensional Jailbreak Evaluation,” where “JailbreakQR” denotes a quantitative jailbreak-evaluation design driven by the SceneJailEval framework (Jiang et al., 8 Aug 2025). SceneJailEval is motivated by the claim that binary classification yields only “yes/no” labels without quantifying harm intensity, while existing multi-dimensional frameworks apply uniform criteria across scenarios, causing scenario-specific mismatches such as the irrelevance of “Relative Truthfulness” to “hate speech” (Jiang et al., 8 Aug 2025).
SceneJailEval organizes evaluation into four modules: Scenario Classification, Scenario-Dim Adapter, Jailbreak Detection, and Harmfulness Evaluation (Jiang et al., 8 Aug 2025). For each query–response pair 7, it returns a jailbreak flag 8 and a harm score 9 on a 0–max scale. The scenario classifier maps 1 to one of 2 scenarios. The adapter then selects scenario-specific detection dimensions 3, detection rules 4, harm dimensions 5, harm criteria 6, and weights 7, with irrelevant dimensions assigned weight 8 (Jiang et al., 8 Aug 2025).
The detection dimensions are Rejection, Helpfulness, RegionalCompliance, RiskWarning, PoliticalNeutrality, and Explicitness. The harmfulness dimensions, derived from DREAD/CVSS risk models on a 9–0 scale, are Authenticity, Specificity, Severity, and ImpactScope (Jiang et al., 8 Aug 2025). The formal definitions are
1
and
2
For expert elicitation and weight derivation, the framework reports the Delphi consensus statistics
3
and the AHP relation
4
with normalization and the consistency condition
5
The accompanying dataset covers 14 scenarios: Violent Crime, Non-violent Crime, Sex-related Crime, Child Sexual Exploitation, False Information / Defamation, Professional Advice (med/finance/legal), Privacy Invasion, IP Infringement, Weapons of Mass Destruction, Hate / Discrimination, Suicide / Self-harm, Sexual Content, Political Agitation / Elections, and Regional Sensitive Issues (Jiang et al., 8 Aug 2025). It contains 1,308 samples, with approximately 80–120 queries per scenario, Chinese and English support, region tags including CN, US, and EU, and metadata for scenario, sub-scenario, query, response, detection labels 6, harm scores 7, and expert consensus weights 8 (Jiang et al., 8 Aug 2025).
The reported detection metrics are Precision, Recall, 9, and Accuracy; harmfulness is measured with NMAE and Spearman 0; open-set security is measured with ASR and AvgHarm (Jiang et al., 8 Aug 2025). On the in-house dataset, the “Ours” system reports Accuracy 1, Precision 2, Recall 3, and 4 (approximately 5). The abstract further states that SceneJailEval achieves an 6 score of 7 on the full-scenario dataset, representing 8 over prior SOTA, and 9 on JBB, representing 0 over prior SOTA (Jiang et al., 8 Aug 2025). On public benchmarks, the table reports 1 on JBB, 2 on JailJudge, and 3 on Safe-RLHF, with the note that Beaver is heavily fine-tuned to Safe-RLHF (Jiang et al., 8 Aug 2025).
An important design property is extensibility. New scenarios and new dimensions can be added through API-style interfaces, and a “Product Consultation” case study defines a detection dimension called Loyalty and harm dimensions Derogation and Specificity (Jiang et al., 8 Aug 2025). For that 200-query custom test, the reported results are Acc/Prec/Rec/4, NMAE 5, and 6. This suggests that, in this usage, JailbreakQR is not merely a label set but a configurable quantitative evaluation stack for scenario-aware red-teaming.
5. JailbreakQR as a reference to Jailbreak-R1
In the technical summary associated with “Jailbreak-R1: Exploring the Jailbreak Capabilities of LLMs via Reinforcement Learning,” “JailbreakQR” is used as a reference to the Jailbreak-R1 framework rather than to a benchmark (Guo et al., 1 Jun 2025). The framework targets automated red teaming and is organized as a three-stage training pipeline: Cold Start, Warm-up Exploration, and Enhanced Jailbreak.
Cold Start performs imitation learning and supervised finetuning on 7 of approximately 8K examples rewritten into the template "> …<attack>…</attack>", using 2 epochs, learning rate 9, and batch size 0 (Guo et al., 1 Jun 2025). Warm-up Exploration trains on 1 of 2K targets using Group Relative Policy Optimization, with rewards 3 and 4, 1 epoch, learning rate 5, batch size 6, 7 samples per input, 8, and 9 (Guo et al., 1 Jun 2025). Enhanced Jailbreak introduces progressive jailbreak rewards by sequentially training against progressively weakened target models 0 on 1 of 2K targets, with learning rate 3, batch size 4, 5 samples per input, 6, and temperature 7 (Guo et al., 1 Jun 2025).
The formalism is an MDP whose state is the partial generation state 8, whose action space is the token vocabulary, and whose policy is the transformer-based sequence model 9 (Guo et al., 1 Jun 2025). The consistency reward is
$0.823$00
the diversity reward ranks prompts by a combined Self-BLEU and embedding-similarity criterion, and the warm-up reward is
$0.823$01
The progressive jailbreak reward is
$0.823$02
On HarmBench averaged over eight models, the condensed table reports ASR/DIV values of approximately $0.823$03 for TAP, $0.823$04 for PAIR, $0.823$05 for AutoDAN-Turbo, $0.823$06 for GPO, $0.823$07 for ArrAttack, $0.823$08 for Jailbreak-R1-Zero, and $0.823$09 for Jailbreak-R1 (Guo et al., 1 Jun 2025). Average jailbreak efficiency is also reported, with Jailbreak-R1-Zero at $0.823$10 attempts per success and Jailbreak-R1 at $0.823$11 (Guo et al., 1 Jun 2025). The summary identifies limitations including single-turn attacks, reliance on multiple external models, and semantic-level prompt detectability. In this usage, “JailbreakQR” refers to an attack-generation framework, not an evaluation corpus.
6. JailbreakQR as a half-pixel QR-code attack
In “Dueling QR Codes: The Hyding of Dr. Jeckyl,” JailbreakQR is an optical attack against standard QR decoding rather than an LLM-security artifact (Noever et al., 4 Feb 2025). The technique exploits the fact that camera-based QR readers sample module centers. Function patterns—finder, timing, alignment, and format/version areas—are preserved from “QR A,” while only data modules are split. For each data module of size $0.823$12 pixels, the left half encodes the bit from message A and the right half encodes message B. Under one camera tilt, sampling points fall on the left halves and decode A; under the opposite tilt, they fall on the right halves and decode B (Noever et al., 4 Feb 2025).
The geometric model assumes a QR code lying in the plane $0.823$13, printed at module size $0.823$14 pixels per module, with a pinhole camera viewing it under small yaw angle $0.823$15 or pitch angle $0.823$16 (Noever et al., 4 Feb 2025). The lateral shift is proportional to $0.823$17 or $0.823$18. Under the first-order approximation, the relative offset is
$0.823$19
and reliable half-selection requires
$0.823$20
in radians (Noever et al., 4 Feb 2025). For $0.823$21–$0.823$22 px, this corresponds to an approximate minimum tilt of $0.823$23–$0.823$24. The same logic applies vertically when splitting top versus bottom halves, and diagonally when quarter-modules are used (Noever et al., 4 Feb 2025).
The code-generation procedure takes two messages, a common QR version and error-correction level, and a scale $0.823$25 with $0.823$26 px per module (Noever et al., 4 Feb 2025). Two standard QR codes of identical version and error-correction level are generated; structural elements are copied from QR1; each data module is rendered so that pixel columns $0.823$27 use the value from QR1 and columns $0.823$28 use the value from QR2. The method recommends forcing the same mask pattern in both QR codes. Canonical EICAR and GTUBE payloads are specifically named as test patterns (Noever et al., 4 Feb 2025).
The attack is reported to work with any unmodified ISO/IEC 18004:2015-compliant smartphone scanner or USB camera library such as Zxing or ZBar (Noever et al., 4 Feb 2025). Supported module scales are $0.823$29, $0.823$30, or $0.823$31 px per module. Empirical angle tolerances for 100% reliable decoding are given as horizontal yaw $0.823$32, vertical pitch $0.823$33, and diagonal combinations with $0.823$34 in $0.823$35 (Noever et al., 4 Feb 2025). Reported decoding success rates are 100% for horizontal dual messages across 20 hand-held smartphone models when $0.823$36–$0.823$37, 98% for vertical mode when $0.823$38–$0.823$39, and 95% for diagonal mode when $0.823$40–$0.823$41 (Noever et al., 4 Feb 2025). The mean bit-error rate before Reed-Solomon correction is approximately $0.823$42, fully corrected in all tested cases. Straight-on scans with $0.823$43 often yield no decode or mixed failures; extreme tilts above $0.823$44 break finder/timing pattern detection; and printed material must maintain less than $0.823$45 mm distortion (Noever et al., 4 Feb 2025).
The paper discusses both offensive and defensive implications. Potential uses include quishing, two-factor binding, and anti-counterfeit tags (Noever et al., 4 Feb 2025). Recommended defenses are multi-angle scanning with message-hash comparison, structural-module inspection for half-pixel gradients, straight-on-only policies that reject perspective distortion beyond $0.823$46, and physical watermarking or UV-fluorescent ink to break half-pixel symmetry (Noever et al., 4 Feb 2025). This usage of “JailbreakQR” is therefore a physical-layer barcode attack whose object of “jailbreak” is the QR sampling assumption rather than an LLM safety mechanism.