Rewards
Stanford reserves the right to not reward any submission if we so choose, and we will not provide compensation for time spent researching.
Bounties are awarded only to the first unique report of a previously unidentified vulnerability. Subsequent reports will be closed as duplicates and not eligible for a bounty.
Vulnerability severities and reward amounts are determined at the discretion of the Information Security Office. For instance, a cross-site scripting vulnerability on a static, unauthenticated website may be classified as less severe compared to a cross-site scripting vulnerability that has the potential to compromise user accounts.
Cumulative rewards in excess of $50 are taxable, and you must report it as income on your tax returns.
Reward amounts and vulnerability severity classifications are subject to change at any time.
- Severity | Reward Amount (in USD)
-
Severity |
Reward Amount (in USD) |
Critical |
$500-$1,000 |
High
|
$500-$800 |
Medium |
$50-$100 |
Low |
$50 |
Accepted Risk or Informational |
$0 |
- Vulnerability | Severity Range | Points
-
Vulnerability |
Severity Range |
Points |
Remote Code Execution |
Critical |
500 |
SQL Injection |
High - Critical |
500 |
XXE |
High - Critical |
500 |
XSS |
Medium - Critical |
300 |
Server-Side Request Forgery |
Low - Critical |
300 |
Directory Traversal - Local File Inclusion |
Medium - High |
300 |
Authentication/Authorization Bypass (Broken Access Control) |
Medium - High |
300 |
Privilege Escalation |
Medium - High |
300 |
Insecure Direct Object Reference |
Medium - Critical |
300 |
Misconfiguration |
Low - High |
200 |
Web Cache Deception |
Low - Medium |
100 |
CORS Misconfiguration |
Low - Medium |
100 |
CRLF Injection |
Low - Medium |
100 |
Cross Site Request Forgery |
Low - Medium |
100 |
Open Redirect |
Low - Medium |
50 |
Information Disclosure |
Low - Medium |
50 |
Request smuggling |
Low - Medium |
50 |
- Bonus Points
-
In addition to being eligible for the Bug Hunter Wizard tier of badges, reports that are received with a clear impact statement and detailed remediation recommendations will receive 100 bonus points for their submissions.
- Risk Class
-
Reports on systems classified as High Risk will receive the highest bounty for the vulnerabilities’ severity range.