The MIT Security Bug Bounty Program

The MIT Bug Bounty Program is a student-founded project, run jointly with IS&T.

We invite MIT affiliates to explore and test the network's security in a responsible fashion. In order to encourage research and better security, we are offering TechCASH as thanks.

This program is currently in alpha testing. Rewards will not be given until the program is publicly launched.
If you encounter any bugs that are not security related, please report them to

Submit a Vulnerability

About This Program

The MIT Bug Bounty program is an experimental program aiming to improve MIT's online security and foster a community for students to research and test the limits of cyber security in a responsible fashion.

As thanks for helping keep the community safe, we are offering rewards in TechCASH for the responsible disclosure of severe vulnerabilities.

Top contributors to the program may be allowed to keep their kerberos accounts after graduation as thanks for their contribution to the MIT community.

The program has the following Rules and Restrictions:


We are currently looking for submission on the following domains:

In-Scope Domains****

We are particularly interested in the following classes of submissions:

In-Scope Vulnerabilities
Remote Code Execution (RCE)
SQL Injection
Authorization bypass / escalation
Information Leaks
Cross Site Scripting (XSS)
Cross Site Request Forgery (CSRF)

We do NOT want you to test for or report any of the following:

Vulnerabilities That Are Not In Scope
Any bug that does not pose a real or demonstrable security risk
Denial Of Service Attacks (DOS)
Social Engineering
Physical exploits of our servers or network
Local network-based exploits such as DNS poisoning or ARP spoofing


These are the current top hackers at MIT:

User Points Earned
1 tristanh 100
2 jaehyung 100
3 jheyns 25
4 Anonymous 25
5 devneal 25
6 fasano 25
7 Anonymous 25
8 Anonymous 10
9 aleksejs 10
10 bcarter 10


All bounties given are intended to show thanks, and are by no means payments for services. We reserve the right to not reward any report if we so choose, and will not be held accountable for time spent researching.

If you feel that any reward you receive is taxable, you should report it at your own discretion.