Papers
Topics
Authors
Recent
Search
2000 character limit reached

JailbreakQR: Divergent Paradigms in AI and QR Codes

Updated 4 July 2026
  • JailbreakQR is a polysemous term representing distinct research artifacts in LLM safety and QR-code security, including benchmarks, evaluation frameworks, red-teaming pipelines, and physical-layer attacks.
  • In the LLM context, it introduces rigorous, decompositional evaluation methods with human-annotated data that achieve high accuracy and substantially reduce false positives compared to earlier proxies.
  • In QR-code security, it describes a half-pixel module-splitting attack that leverages controlled camera tilt to alternately decode dual embedded messages with near-perfect reliability.

JailbreakQR is a polysemous term used in 2025 arXiv literature for several distinct research artifacts rather than a single, stable object. In LLM safety, it denotes a human-annotated jailbreak-evaluation benchmark introduced with JADES (Chu et al., 28 Aug 2025), a quantitative jailbreak-evaluation design distilled from the scenario-adaptive SceneJailEval framework (Jiang et al., 8 Aug 2025), and, in one technical summary, a reference to the Jailbreak-R1 automated red-teaming framework (Guo et al., 1 Jun 2025). In QR-code security, the same label denotes the half-pixel module-splitting attack presented in “Dueling QR Codes: The Hyding of Dr. Jeckyl” (Noever et al., 4 Feb 2025). The shared name therefore spans benchmark construction, evaluation methodology, attack generation, and optical barcode exploitation.

1. Terminological scope and disambiguation

A common source of confusion is that “JailbreakQR” does not identify a single benchmark, framework, or attack. The term is used for multiple non-equivalent entities with different goals, data models, and evaluation targets.

Source Meaning of “JailbreakQR” Object type
JADES (Chu et al., 28 Aug 2025) a newly introduced benchmark of 400 prompt–response pairs human-annotated jailbreak benchmark
SceneJailEval summary (Jiang et al., 8 Aug 2025) a quantitative jailbreak-evaluation design scenario-adaptive evaluation framework plus 14-scenario dataset
Jailbreak-R1 summary (Guo et al., 1 Jun 2025) a reference to the Jailbreak-R1 framework automated red-teaming training pipeline
“Dueling QR Codes” (Noever et al., 4 Feb 2025) the half-pixel module-splitting attack angle-dependent dual-message QR code technique

This suggests that “JailbreakQR” functions more as a reused label than as a settled term of art. In the LLM literature, the label attaches to evaluation and attack-generation systems; in the barcode literature, it refers to a physical-layer attack against ISO/IEC 18004:2015-compliant QR decoding (Noever et al., 4 Feb 2025).

2. JailbreakQR as a human-annotated jailbreak benchmark

In “JADES: A Universal Framework for Jailbreak Assessment via Decompositional Scoring,” JailbreakQR is introduced to address a specific weakness of prior jailbreak benchmarks: they collect open-ended harmful questions without reference answers, so success is judged by crude proxies such as string matches, toxicity flags, or naive holistic LLM judgments (Chu et al., 28 Aug 2025). The stated motivation is that such proxies misinterpret model outputs and inflate success rates. JailbreakQR is therefore positioned as a small but carefully human-annotated benchmark with clear success/failure criteria, intended to anchor automated judges against a gold standard.

The benchmark contains 400 prompt–response pairs sampled from a larger pool of 4,160 instances, derived from 260 harmful questions, 5 attacks, and 4 models (Chu et al., 28 Aug 2025). Each pair receives one of three ordinal labels: failed, partially successful, or successful. Beyond the primary label, the benchmark tracks which jailbreak method produced the response—GCG, DSN, LAA, PAIR, or JailbreakChat—and which target LLM was evaluated: Vicuna, Llama-2, GPT-3.5-Turbo, or GPT-4.

Label Count Percentage
failed 145 36.25%
partially successful 138 34.50%
successful 117 29.25%

The benchmark’s role is explicitly to bridge the gap between expensive manual evaluation and error-prone proxies (Chu et al., 28 Aug 2025). It supports both binary attack success rate measurement and finer-grained ordinal analysis, making it suitable for evaluating whether an automated judge captures partial fulfillment rather than only overt refusal or overt compliance.

3. Annotation protocol, formal scoring, and empirical findings in JADES

The annotation protocol permits either decomposition or holistic labeling. Annotators may decompose the harmful question into sub-questions, mark each as critical or supporting, judge each sub-question as Fulfilled, Partially Fulfilled, or Not Fulfilled, and then aggregate these judgments into failed, partially successful, or successful (Chu et al., 28 Aug 2025). If they choose not to decompose, they label holistically against the original question. Each of the 400 pairs was labeled by three independent annotators; disagreements were resolved by majority vote; Krippendorff’s ordinal α\alpha was $0.823$, reported as “almost perfect” agreement by Landis & Koch (Chu et al., 28 Aug 2025). For failed and partially successful cases, annotators also wrote free-text explanations.

The JADES framework uses JailbreakQR with a decompositional scoring formalism. A harmful question QQ is broken into weighted sub-questions

{(qi,wi)}i=1n,i=1nwi=1,wi0.\{(q_i,w_i)\}_{i=1}^n,\qquad \sum_{i=1}^n w_i = 1,\qquad w_i \ge 0.

The response is split into sentences, irrelevant sentences are removed, and a pairing agent matches relevant sentences to each qiq_i (Chu et al., 28 Aug 2025). Each sub-answer receives a five-level Likert score

si{0.00,0.25,0.50,0.75,1.00},s_i \in \{0.00,\,0.25,\,0.50,\,0.75,\,1.00\},

and the overall score is

Stotal=i=1nwisi[0,1].S_{\mathrm{total}} = \sum_{i=1}^n w_i s_i \in [0,1].

The binary mapping is Stotal0.25failureS_{\mathrm{total}} \le 0.25 \mapsto \text{failure} and Stotal>0.25successS_{\mathrm{total}} > 0.25 \mapsto \text{success}; the ternary mapping is Stotal0.25failedS_{\mathrm{total}} \le 0.25 \mapsto \text{failed}, $0.823$0, and $0.823$1 (Chu et al., 28 Aug 2025).

Empirically, JADES was evaluated on JailbreakQR against StringMatch, JailbreakRadar, JailbreakBench, HarmBench, and StrongReject, using GPT-4o agents at temperature $0.823$2 (Chu et al., 28 Aug 2025). In the binary setting on 400 pairs, JADES achieved Accuracy $0.823$3, Precision $0.823$4, Recall $0.823$5, and $0.823$6; the best baseline remained below $0.823$7 in Accuracy and below $0.823$8 in Precision and $0.823$9 (Chu et al., 28 Aug 2025). The system incurred only QQ0 false positives and QQ1 false negatives, and out-performed prior proxies by at least QQ2 points in Accuracy. In the ternary setting, overall Accuracy was QQ3, with per-class QQ4 of QQ5 for failed, QQ6 for partially successful, and QQ7 for successful, giving Macro-QQ8 (Chu et al., 28 Aug 2025).

The benchmark was also used to re-evaluate five popular attacks on four LLMs. Under binary ASR, previously reported attack success rates were materially reduced; for example, GPT-3.5 + LAA dropped from QQ9 to {(qi,wi)}i=1n,i=1nwi=1,wi0.\{(q_i,w_i)\}_{i=1}^n,\qquad \sum_{i=1}^n w_i = 1,\qquad w_i \ge 0.0, Vicuna + DSN from {(qi,wi)}i=1n,i=1nwi=1,wi0.\{(q_i,w_i)\}_{i=1}^n,\qquad \sum_{i=1}^n w_i = 1,\qquad w_i \ge 0.1 to {(qi,wi)}i=1n,i=1nwi=1,wi0.\{(q_i,w_i)\}_{i=1}^n,\qquad \sum_{i=1}^n w_i = 1,\qquad w_i \ge 0.2, and Llama-2 + LAA from {(qi,wi)}i=1n,i=1nwi=1,wi0.\{(q_i,w_i)\}_{i=1}^n,\qquad \sum_{i=1}^n w_i = 1,\qquad w_i \ge 0.3 to {(qi,wi)}i=1n,i=1nwi=1,wi0.\{(q_i,w_i)\}_{i=1}^n,\qquad \sum_{i=1}^n w_i = 1,\qquad w_i \ge 0.4 (Chu et al., 28 Aug 2025). Under ternary evaluation, most nominal ASR “successes” became partial successes, with {(qi,wi)}i=1n,i=1nwi=1,wi0.\{(q_i,w_i)\}_{i=1}^n,\qquad \sum_{i=1}^n w_i = 1,\qquad w_i \ge 0.5 for nearly all method–model pairs. The recommended practice is to report ternary labels alongside binary ASR, introduce PSR and {(qi,wi)}i=1n,i=1nwi=1,wi0.\{(q_i,w_i)\}_{i=1}^n,\qquad \sum_{i=1}^n w_i = 1,\qquad w_i \ge 0.6, prefer analytic or decompositional evaluation over holistic proxies, optionally integrate fact-checking, calibrate sub-question weights for domain transfer, and preserve a human-in-the-loop path for edge-case decomposition errors (Chu et al., 28 Aug 2025).

4. JailbreakQR as a scenario-adaptive quantitative evaluation design

A separate use of the term appears in the consolidated reference derived from “Beyond Uniform Criteria: Scenario-Adaptive Multi-Dimensional Jailbreak Evaluation,” where “JailbreakQR” denotes a quantitative jailbreak-evaluation design driven by the SceneJailEval framework (Jiang et al., 8 Aug 2025). SceneJailEval is motivated by the claim that binary classification yields only “yes/no” labels without quantifying harm intensity, while existing multi-dimensional frameworks apply uniform criteria across scenarios, causing scenario-specific mismatches such as the irrelevance of “Relative Truthfulness” to “hate speech” (Jiang et al., 8 Aug 2025).

SceneJailEval organizes evaluation into four modules: Scenario Classification, Scenario-Dim Adapter, Jailbreak Detection, and Harmfulness Evaluation (Jiang et al., 8 Aug 2025). For each query–response pair {(qi,wi)}i=1n,i=1nwi=1,wi0.\{(q_i,w_i)\}_{i=1}^n,\qquad \sum_{i=1}^n w_i = 1,\qquad w_i \ge 0.7, it returns a jailbreak flag {(qi,wi)}i=1n,i=1nwi=1,wi0.\{(q_i,w_i)\}_{i=1}^n,\qquad \sum_{i=1}^n w_i = 1,\qquad w_i \ge 0.8 and a harm score {(qi,wi)}i=1n,i=1nwi=1,wi0.\{(q_i,w_i)\}_{i=1}^n,\qquad \sum_{i=1}^n w_i = 1,\qquad w_i \ge 0.9 on a qiq_i0–max scale. The scenario classifier maps qiq_i1 to one of qiq_i2 scenarios. The adapter then selects scenario-specific detection dimensions qiq_i3, detection rules qiq_i4, harm dimensions qiq_i5, harm criteria qiq_i6, and weights qiq_i7, with irrelevant dimensions assigned weight qiq_i8 (Jiang et al., 8 Aug 2025).

The detection dimensions are Rejection, Helpfulness, RegionalCompliance, RiskWarning, PoliticalNeutrality, and Explicitness. The harmfulness dimensions, derived from DREAD/CVSS risk models on a qiq_i9–si{0.00,0.25,0.50,0.75,1.00},s_i \in \{0.00,\,0.25,\,0.50,\,0.75,\,1.00\},0 scale, are Authenticity, Specificity, Severity, and ImpactScope (Jiang et al., 8 Aug 2025). The formal definitions are

si{0.00,0.25,0.50,0.75,1.00},s_i \in \{0.00,\,0.25,\,0.50,\,0.75,\,1.00\},1

and

si{0.00,0.25,0.50,0.75,1.00},s_i \in \{0.00,\,0.25,\,0.50,\,0.75,\,1.00\},2

For expert elicitation and weight derivation, the framework reports the Delphi consensus statistics

si{0.00,0.25,0.50,0.75,1.00},s_i \in \{0.00,\,0.25,\,0.50,\,0.75,\,1.00\},3

and the AHP relation

si{0.00,0.25,0.50,0.75,1.00},s_i \in \{0.00,\,0.25,\,0.50,\,0.75,\,1.00\},4

with normalization and the consistency condition

si{0.00,0.25,0.50,0.75,1.00},s_i \in \{0.00,\,0.25,\,0.50,\,0.75,\,1.00\},5

(Jiang et al., 8 Aug 2025).

The accompanying dataset covers 14 scenarios: Violent Crime, Non-violent Crime, Sex-related Crime, Child Sexual Exploitation, False Information / Defamation, Professional Advice (med/finance/legal), Privacy Invasion, IP Infringement, Weapons of Mass Destruction, Hate / Discrimination, Suicide / Self-harm, Sexual Content, Political Agitation / Elections, and Regional Sensitive Issues (Jiang et al., 8 Aug 2025). It contains 1,308 samples, with approximately 80–120 queries per scenario, Chinese and English support, region tags including CN, US, and EU, and metadata for scenario, sub-scenario, query, response, detection labels si{0.00,0.25,0.50,0.75,1.00},s_i \in \{0.00,\,0.25,\,0.50,\,0.75,\,1.00\},6, harm scores si{0.00,0.25,0.50,0.75,1.00},s_i \in \{0.00,\,0.25,\,0.50,\,0.75,\,1.00\},7, and expert consensus weights si{0.00,0.25,0.50,0.75,1.00},s_i \in \{0.00,\,0.25,\,0.50,\,0.75,\,1.00\},8 (Jiang et al., 8 Aug 2025).

The reported detection metrics are Precision, Recall, si{0.00,0.25,0.50,0.75,1.00},s_i \in \{0.00,\,0.25,\,0.50,\,0.75,\,1.00\},9, and Accuracy; harmfulness is measured with NMAE and Spearman Stotal=i=1nwisi[0,1].S_{\mathrm{total}} = \sum_{i=1}^n w_i s_i \in [0,1].0; open-set security is measured with ASR and AvgHarm (Jiang et al., 8 Aug 2025). On the in-house dataset, the “Ours” system reports Accuracy Stotal=i=1nwisi[0,1].S_{\mathrm{total}} = \sum_{i=1}^n w_i s_i \in [0,1].1, Precision Stotal=i=1nwisi[0,1].S_{\mathrm{total}} = \sum_{i=1}^n w_i s_i \in [0,1].2, Recall Stotal=i=1nwisi[0,1].S_{\mathrm{total}} = \sum_{i=1}^n w_i s_i \in [0,1].3, and Stotal=i=1nwisi[0,1].S_{\mathrm{total}} = \sum_{i=1}^n w_i s_i \in [0,1].4 (approximately Stotal=i=1nwisi[0,1].S_{\mathrm{total}} = \sum_{i=1}^n w_i s_i \in [0,1].5). The abstract further states that SceneJailEval achieves an Stotal=i=1nwisi[0,1].S_{\mathrm{total}} = \sum_{i=1}^n w_i s_i \in [0,1].6 score of Stotal=i=1nwisi[0,1].S_{\mathrm{total}} = \sum_{i=1}^n w_i s_i \in [0,1].7 on the full-scenario dataset, representing Stotal=i=1nwisi[0,1].S_{\mathrm{total}} = \sum_{i=1}^n w_i s_i \in [0,1].8 over prior SOTA, and Stotal=i=1nwisi[0,1].S_{\mathrm{total}} = \sum_{i=1}^n w_i s_i \in [0,1].9 on JBB, representing Stotal0.25failureS_{\mathrm{total}} \le 0.25 \mapsto \text{failure}0 over prior SOTA (Jiang et al., 8 Aug 2025). On public benchmarks, the table reports Stotal0.25failureS_{\mathrm{total}} \le 0.25 \mapsto \text{failure}1 on JBB, Stotal0.25failureS_{\mathrm{total}} \le 0.25 \mapsto \text{failure}2 on JailJudge, and Stotal0.25failureS_{\mathrm{total}} \le 0.25 \mapsto \text{failure}3 on Safe-RLHF, with the note that Beaver is heavily fine-tuned to Safe-RLHF (Jiang et al., 8 Aug 2025).

An important design property is extensibility. New scenarios and new dimensions can be added through API-style interfaces, and a “Product Consultation” case study defines a detection dimension called Loyalty and harm dimensions Derogation and Specificity (Jiang et al., 8 Aug 2025). For that 200-query custom test, the reported results are Acc/Prec/Rec/Stotal0.25failureS_{\mathrm{total}} \le 0.25 \mapsto \text{failure}4, NMAE Stotal0.25failureS_{\mathrm{total}} \le 0.25 \mapsto \text{failure}5, and Stotal0.25failureS_{\mathrm{total}} \le 0.25 \mapsto \text{failure}6. This suggests that, in this usage, JailbreakQR is not merely a label set but a configurable quantitative evaluation stack for scenario-aware red-teaming.

5. JailbreakQR as a reference to Jailbreak-R1

In the technical summary associated with “Jailbreak-R1: Exploring the Jailbreak Capabilities of LLMs via Reinforcement Learning,” “JailbreakQR” is used as a reference to the Jailbreak-R1 framework rather than to a benchmark (Guo et al., 1 Jun 2025). The framework targets automated red teaming and is organized as a three-stage training pipeline: Cold Start, Warm-up Exploration, and Enhanced Jailbreak.

Cold Start performs imitation learning and supervised finetuning on Stotal0.25failureS_{\mathrm{total}} \le 0.25 \mapsto \text{failure}7 of approximately Stotal0.25failureS_{\mathrm{total}} \le 0.25 \mapsto \text{failure}8K examples rewritten into the template "> …<attack>…</attack>", using 2 epochs, learning rate Stotal0.25failureS_{\mathrm{total}} \le 0.25 \mapsto \text{failure}9, and batch size Stotal>0.25successS_{\mathrm{total}} > 0.25 \mapsto \text{success}0 (Guo et al., 1 Jun 2025). Warm-up Exploration trains on Stotal>0.25successS_{\mathrm{total}} > 0.25 \mapsto \text{success}1 of Stotal>0.25successS_{\mathrm{total}} > 0.25 \mapsto \text{success}2K targets using Group Relative Policy Optimization, with rewards Stotal>0.25successS_{\mathrm{total}} > 0.25 \mapsto \text{success}3 and Stotal>0.25successS_{\mathrm{total}} > 0.25 \mapsto \text{success}4, 1 epoch, learning rate Stotal>0.25successS_{\mathrm{total}} > 0.25 \mapsto \text{success}5, batch size Stotal>0.25successS_{\mathrm{total}} > 0.25 \mapsto \text{success}6, Stotal>0.25successS_{\mathrm{total}} > 0.25 \mapsto \text{success}7 samples per input, Stotal>0.25successS_{\mathrm{total}} > 0.25 \mapsto \text{success}8, and Stotal>0.25successS_{\mathrm{total}} > 0.25 \mapsto \text{success}9 (Guo et al., 1 Jun 2025). Enhanced Jailbreak introduces progressive jailbreak rewards by sequentially training against progressively weakened target models Stotal0.25failedS_{\mathrm{total}} \le 0.25 \mapsto \text{failed}0 on Stotal0.25failedS_{\mathrm{total}} \le 0.25 \mapsto \text{failed}1 of Stotal0.25failedS_{\mathrm{total}} \le 0.25 \mapsto \text{failed}2K targets, with learning rate Stotal0.25failedS_{\mathrm{total}} \le 0.25 \mapsto \text{failed}3, batch size Stotal0.25failedS_{\mathrm{total}} \le 0.25 \mapsto \text{failed}4, Stotal0.25failedS_{\mathrm{total}} \le 0.25 \mapsto \text{failed}5 samples per input, Stotal0.25failedS_{\mathrm{total}} \le 0.25 \mapsto \text{failed}6, and temperature Stotal0.25failedS_{\mathrm{total}} \le 0.25 \mapsto \text{failed}7 (Guo et al., 1 Jun 2025).

The formalism is an MDP whose state is the partial generation state Stotal0.25failedS_{\mathrm{total}} \le 0.25 \mapsto \text{failed}8, whose action space is the token vocabulary, and whose policy is the transformer-based sequence model Stotal0.25failedS_{\mathrm{total}} \le 0.25 \mapsto \text{failed}9 (Guo et al., 1 Jun 2025). The consistency reward is

$0.823$00

the diversity reward ranks prompts by a combined Self-BLEU and embedding-similarity criterion, and the warm-up reward is

$0.823$01

The progressive jailbreak reward is

$0.823$02

(Guo et al., 1 Jun 2025)

On HarmBench averaged over eight models, the condensed table reports ASR/DIV values of approximately $0.823$03 for TAP, $0.823$04 for PAIR, $0.823$05 for AutoDAN-Turbo, $0.823$06 for GPO, $0.823$07 for ArrAttack, $0.823$08 for Jailbreak-R1-Zero, and $0.823$09 for Jailbreak-R1 (Guo et al., 1 Jun 2025). Average jailbreak efficiency is also reported, with Jailbreak-R1-Zero at $0.823$10 attempts per success and Jailbreak-R1 at $0.823$11 (Guo et al., 1 Jun 2025). The summary identifies limitations including single-turn attacks, reliance on multiple external models, and semantic-level prompt detectability. In this usage, “JailbreakQR” refers to an attack-generation framework, not an evaluation corpus.

6. JailbreakQR as a half-pixel QR-code attack

In “Dueling QR Codes: The Hyding of Dr. Jeckyl,” JailbreakQR is an optical attack against standard QR decoding rather than an LLM-security artifact (Noever et al., 4 Feb 2025). The technique exploits the fact that camera-based QR readers sample module centers. Function patterns—finder, timing, alignment, and format/version areas—are preserved from “QR A,” while only data modules are split. For each data module of size $0.823$12 pixels, the left half encodes the bit from message A and the right half encodes message B. Under one camera tilt, sampling points fall on the left halves and decode A; under the opposite tilt, they fall on the right halves and decode B (Noever et al., 4 Feb 2025).

The geometric model assumes a QR code lying in the plane $0.823$13, printed at module size $0.823$14 pixels per module, with a pinhole camera viewing it under small yaw angle $0.823$15 or pitch angle $0.823$16 (Noever et al., 4 Feb 2025). The lateral shift is proportional to $0.823$17 or $0.823$18. Under the first-order approximation, the relative offset is

$0.823$19

and reliable half-selection requires

$0.823$20

in radians (Noever et al., 4 Feb 2025). For $0.823$21–$0.823$22 px, this corresponds to an approximate minimum tilt of $0.823$23–$0.823$24. The same logic applies vertically when splitting top versus bottom halves, and diagonally when quarter-modules are used (Noever et al., 4 Feb 2025).

The code-generation procedure takes two messages, a common QR version and error-correction level, and a scale $0.823$25 with $0.823$26 px per module (Noever et al., 4 Feb 2025). Two standard QR codes of identical version and error-correction level are generated; structural elements are copied from QR1; each data module is rendered so that pixel columns $0.823$27 use the value from QR1 and columns $0.823$28 use the value from QR2. The method recommends forcing the same mask pattern in both QR codes. Canonical EICAR and GTUBE payloads are specifically named as test patterns (Noever et al., 4 Feb 2025).

The attack is reported to work with any unmodified ISO/IEC 18004:2015-compliant smartphone scanner or USB camera library such as Zxing or ZBar (Noever et al., 4 Feb 2025). Supported module scales are $0.823$29, $0.823$30, or $0.823$31 px per module. Empirical angle tolerances for 100% reliable decoding are given as horizontal yaw $0.823$32, vertical pitch $0.823$33, and diagonal combinations with $0.823$34 in $0.823$35 (Noever et al., 4 Feb 2025). Reported decoding success rates are 100% for horizontal dual messages across 20 hand-held smartphone models when $0.823$36–$0.823$37, 98% for vertical mode when $0.823$38–$0.823$39, and 95% for diagonal mode when $0.823$40–$0.823$41 (Noever et al., 4 Feb 2025). The mean bit-error rate before Reed-Solomon correction is approximately $0.823$42, fully corrected in all tested cases. Straight-on scans with $0.823$43 often yield no decode or mixed failures; extreme tilts above $0.823$44 break finder/timing pattern detection; and printed material must maintain less than $0.823$45 mm distortion (Noever et al., 4 Feb 2025).

The paper discusses both offensive and defensive implications. Potential uses include quishing, two-factor binding, and anti-counterfeit tags (Noever et al., 4 Feb 2025). Recommended defenses are multi-angle scanning with message-hash comparison, structural-module inspection for half-pixel gradients, straight-on-only policies that reject perspective distortion beyond $0.823$46, and physical watermarking or UV-fluorescent ink to break half-pixel symmetry (Noever et al., 4 Feb 2025). This usage of “JailbreakQR” is therefore a physical-layer barcode attack whose object of “jailbreak” is the QR sampling assumption rather than an LLM safety mechanism.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to JailbreakQR.