The MIT Security Bug Bounty Program


We do our best to keep MIT's network and services secure, but we're not perfect.

If you're an MIT affiliate and find a security vulnerability that falls within scope, we'll reward you for responsibly disclosing it to us!


This program is currently in alpha testing. Rewards will not be given until the program is publicly launched.
If you encounter any bugs that are not security related, please report them to bounty-dev@mit.edu




Submit a Vulnerability





About This Program


The MIT Bug Bounty program is an experimental program aiming to improve MIT's online security and foster a community for students to research and test the limits of cyber security in a responsible fashion.

As thanks for helping keep the community safe, we are offering rewards in TechCASH for the responsible disclosure of severe vulnerabilities.

Top contributors to the program may be allowed to keep their kerberos accounts after graduation as thanks for their contribution to the MIT community.


The program has the following Rules and Restrictions:


Scope

We are currently looking for submission on the following domains:


In-Scope Domains
https://student.mit.edu/*
https://atlas.mit.edu/*
https://learning-modules.mit.edu/*
https://bounty.mit.edu/*



We are particularly interested in the following classes of submissions:


In-Scope Vulnerabilities
Remote Code Execution (RCE)
SQL Injection
Authorization bypass / escalation
Information Leaks
Cross Site Scripting (XSS)
Cross Site Request Forgery (CSRF)



We do NOT want you to test for or report any of the following:


Vulnerabilities That Are Not In Scope
Any bug that does not pose a real or demonstrable security risk
Denial Of Service Attacks (DOS)
Social Engineering
Physical exploits of our servers or network
Local network-based exploits such as DNS poisoning or ARP spoofing





Leaderboard

These are the top hackers at MIT for the 2015-2016 school year

User Points Earned
1 tristanh 100
2 jheyns 25


Legal


All bounties given are intended to show thanks, and are by no means payments for services. We reserve the right to not reward any report if we so choose, and will not be held accountable for time spent researching.

If you feel that any reward you receive is taxable, you must report it at your own discretion.