The effectiveness of bug bounty programs is difficult to deny, especially after adoption of one at Uber, which announced last month it would begin paying $10,000 for critical bugs, and the Department of Defense, whose Hack the Pentagon illustrates the government’s softening stance on hackers.
The Massachusetts Institute of Technology announced this week that it will follow in those footsteps and launch its own experimental bug bounty program, becoming one of the first academic institutions to reward hackers who find and responsibly disclose vulnerabilities on the school’s sites.
The university admits it’s just testing the waters with the program, but nonetheless disclosed some details around what it calls an alpha program earlier this week.
In order to take part in the bug bounty program, naturally MIT has a few stipulations – first and foremost is that only accredited MIT affiliates, including university undergrads and graduate students need apply.
Students who find any bugs on the school’s sites are being asked not exploit them via reading, writing or accessing private data they may come across. The school is also urging participants not to disclose any vulnerabilities until they’ve been resolved and not to perform any tests that would disrupt the school’s services or interfere with students
A handful of internal domains will qualify for the bounty, including ones belonging to the school’s administrative-systems hub, Atlas, and Learning Modules, which houses Stellar, the school’s course management system.
Ideally the school is hoping the bounty prompts students to find vulnerabilities of all shapes and sizes, including information leaks, cross site request forgery (CSRF) vulnerabilities, cross site scripting (XSS) vulnerabilities, SQL injections, authorization bypass and bypass vulnerabilities, and remote code execution vulnerabilities.
Students who responsibly disclose bugs will be awarded with a deposit to their TechCASH account — money that can be used at restaurants, florists, and grocery stores around Central Square, in Cambridge, Mass., where the university is located.
The school is also hoping to lure more tech savvy contributors by giving top contributors the option to keep their Kerberos accounts after graduation. MIT community members are allowed to sign up for a Kerberos identity through the network authentication protocol that gives them an added layer of authentication.
A former MIT student debuted a static-analysis tool earlier this week called Space. The web application security scanner, developed under the supervision of MIT Computer Science and Artificial Intelligence Laboratory professor Daniel Jackson, can find vulnerabilities in just about a minute.