Evaluation and alignment pipelines for large language models increasingly rely on LLM-based judges, whose behavior is guided by natural-language rubrics and validated on benchmarks. We identify a previously under-recognized vulnerability in this workflow, which we term Rubric-Induced Preference Drift (RIPD). Even when rubric edits pass benchmark validation, they can still produce systematic and directional shifts in a judge's preferences on target domains. Because rubrics serve as a high-level decision interface, such drift can emerge from seemingly natural, criterion-preserving edits and remain difficult to detect through aggregate benchmark metrics or limited spot-checking. We further show this vulnerability can be exploited through rubric-based preference attacks, in which benchmark-compliant rubric edits steer judgments away from a fixed human or trusted reference on target domains, systematically inducing RIPD and reducing target-domain accuracy up to 9.5% (helpfulness) and 27.9% (harmlessness). When these judgments are used to generate preference labels for downstream post-training, the induced bias propagates through alignment pipelines and becomes internalized in trained policies. This leads to persistent and systematic drift in model behavior. Overall, our findings highlight evaluation rubrics as a sensitive and manipulable control interface, revealing a system-level alignment risk that extends beyond evaluator reliability alone. The code is available at: https://github.com/ZDCSlab/Rubrics-as-an-Attack-Surface. Warning: Certain sections may contain potentially harmful content that may not be appropriate for all readers.

翻译：大型语言模型的评估与对齐流程日益依赖基于LLM的评判者，其行为由自然语言评分标准引导并通过基准测试验证。我们发现该工作流中存在一个先前未被充分认识的漏洞，称之为"评分标准诱导的偏好漂移"。即使评分标准修改通过了基准验证，仍可能在目标领域导致评判者偏好产生系统性、方向性偏移。由于评分标准作为高层决策接口，此类漂移可能源于看似自然且保持准则的修改，并难以通过聚合基准指标或有限抽查被发现。我们进一步证明该漏洞可通过基于评分标准的偏好攻击被利用——符合基准的评分标准修改会在目标领域引导判断偏离固定的人类或可信参照标准，系统性地诱发偏好漂移，使目标领域准确率最高降低9.5%（有益性）和27.9%（无害性）。当这些判断被用于生成下游后训练所需的偏好标签时，诱导的偏差会通过对齐流程传播并内化至训练策略中，导致模型行为出现持续系统性偏移。总体而言，我们的研究揭示了评分标准作为敏感且可操纵的控制接口，暴露了超越评估者可靠性的系统级对齐风险。代码发布于：https://github.com/ZDCSlab/Rubrics-as-an-Attack-Surface。警告：部分章节可能包含潜在有害内容，或不适合所有读者阅读。