MIT Introduces Bug Bounty Program

The Massachusetts Institute of Technology (MIT), famed as one of the top tech schools in the country, introduced an “experimental” bug bounty program this week. The private, Cambridge-based research university is among the first academic institutions to announce a program designed to encourage finding security vulnerabilities in its web domains.

“The MIT Bug Bounty program is an experimental program aiming to improve MIT’s online security and foster a community for students to research and test the limits of cyber security in a responsible fashion,” read the website.

The bug bounty program is open to university affiliates with valid certifications, such as undergrads and graduate students. Participants that uncover vulnerabilities that fall within the in-scope domains are eligible for rewards. “As a thanks for helping keep the community safe, we are offering rewards in TechCASH for the responsible disclosure of severe vulnerabilities,” the website added. Students and staff may use TechCASH to purchase goods and services across campus. In addition, top contributors to the program will also have an opportunity to keep their Kerberos accounts following graduation. The MIT Bug Bounty website stated the university is particularly interested in the following types of vulnerability submissions:

• Remote Code Execution (RCE)
• SQL Injection
• Authorization bypass/escalation
• Information leaks
• Cross Site Scripting (XSS)
• Cross Site Request Forgery (CSRF)

Other guidelines for the program include avoiding publicly disclosing any vulnerability before it has been completely resolved, as well performing tests that will disrupt services, or impair students’ abilities to use them. Any bug that does not pose a real threat or demonstrable security risk will not be considered, along with Denial of Service Attacks (DOS); social engineering; physical exploits to MIT’s servers or networks; or local network-based exploits, such as DNS poisoning or ARP spoofing.