The MIT Security Bug Bounty Program
The MIT Bug Bounty Program is a student-founded project, run jointly with IS&T.
We invite MIT affiliates to explore and test the network's security in a responsible fashion. In order to encourage research and better security, we are offering TechCASH as thanks.
This program is currently in alpha testing. Rewards will not be given until the program is publicly launched.
If you encounter any bugs that are not security related, please report them to bounty-dev@mit.edu
Submit a Vulnerability
About This Program
The MIT Bug Bounty program is an experimental program aiming to improve MIT's online security and foster a community for students to research and test the limits of cyber security in a responsible fashion.
As thanks for helping keep the community safe, we are offering rewards in TechCASH for the responsible disclosure of severe vulnerabilities.
Top contributors to the program may be allowed to keep their kerberos accounts after graduation as thanks for their contribution to the MIT community.
The program has the following Rules and Restrictions:
- In order to take part in this program, you must be an MIT affiliate with valid certificates. If you are not eligible for the bounty program, you may still submit reports to our standard reporting system here.
- Do not attempt to read, write, or access any private data you gain access to.
- Do not publicly disclose any vulnerabilities before they have been completely resolved.
- Do not perform any tests that will disrupt services, or impair students' abiltiies to use them.
- Do not use noisy automated scanners.
- All testing must fall within the scopes and domains listed in the section below.
Scope
We are currently looking for submission on the following domains:
In-Scope Domains |
https://student.mit.edu/* |
https://atlas.mit.edu/* |
https://learning-modules.mit.edu/* |
https://bounty.mit.edu/* |
We are particularly interested in the following classes of submissions:
In-Scope Vulnerabilities |
Remote Code Execution (RCE) |
SQL Injection |
Authorization bypass / escalation |
Information Leaks |
Cross Site Scripting (XSS) |
Cross Site Request Forgery (CSRF) |
We do NOT want you to test for or report any of the following:
Vulnerabilities That Are Not In Scope |
Any bug that does not pose a real or demonstrable security risk |
Denial Of Service Attacks (DOS) |
Social Engineering |
Physical exploits of our servers or network |
Local network-based exploits such as DNS poisoning or ARP spoofing |
Leaderboard
These are the current top hackers at MIT:
|
User
|
Points Earned
|
1
|
tristanh
|
100
|
2
|
jaehyung
|
100
|
3
|
jheyns
|
25
|
4
|
Anonymous
|
25
|
5
|
devneal
|
25
|
6
|
fasano
|
25
|
7
|
Anonymous
|
25
|
8
|
Anonymous
|
10
|
9
|
aleksejs
|
10
|
10
|
bcarter
|
10
|
Terms
All bounties given are intended to show thanks, and are by no means payments for services. We reserve the right to not reward any report if we so choose, and will not be held accountable for time spent researching.
If you feel that any reward you receive is taxable, you should report it at your own discretion.