Stanford Bug Bounty Launch
The Information Security Office (ISO) is excited to announce an experiment in improving the university's cybersecurity posture through formalized community involvement: the Stanford Bug Bounty program.
Beginning on Jan. 19, undergrad/grad students, postdocs, and full-time benefits eligible employees can responsibly hunt for cybersecurity vulnerabilities (subject to the terms of the program) and earn rewards up to $1,000 per find.
Stanford is one of a very few universities to implement a bug bounty program. For the first time ever, our students, faculty, and staff are joining forces in discovering and reporting vulnerabilities, protecting Stanford’s critical infrastructure in the process. For students in particular, the objective is to encourage the responsible application of cybersecurity skills outside of the traditional classroom environment, while providing exposure to the operations of an information security office.
Bug bounty kick-off success
To mark the official launch of the program, ISO hosted a hackathon-style event on Saturday, Jan. 19 where participants submitted more than 20 vulnerability reports, earning rewards of $1,950. Over the next two days, more reports were submitted and rewards have now totaled more than $5,000. See the event wrap-up video.
In the high-stakes world of cybersecurity, we’re engaged in a relentless race: finding and fixing system vulnerabilities before our adversaries discover and exploit them.
Here at Stanford, ISO continuously scans systems for vulnerabilities, and IT teams fix them as quickly as they can. However, some vulnerabilities elude automated scanning and instead require hacking expertise and focused effort in order to uncover them. By drawing on the university community, we amplify our ability to prevail against the cyber adversaries.
Bug bounty champion
Jack Cable - a Stanford freshman who was instrumental in establishing this program - is a resident bug bounty champion, having received accolades from HackerOne and the Pentagon, among many others.
“By establishing a bug bounty program, Stanford is paving the way for universities to be more proactive when it comes to security," Cable said. "This is also an unprecedented opportunity to educate the next generation of computer scientists to become more aware of security practices, which is fundamental to improving the state of security.”