Students Invited to Hunt Down Online Vulnerabilities on Stanford Systems
        
        
        
			- By Dian Schaffhauser
- 02/26/19
Stanford University has implemented a "bug  bounty" program that pays people for finding vulnerabilities in  the university's software systems. Set up by the Information Security office, the program is only open to Stanford students and full-time employees.  Rewards range from $50 to $1,000, all paid in Amazon gift cards.
During a pilot phase, a limited number of domains and  vulnerabilities are being considered for the payoffs. The bigger rewards go to  anybody finding problems defined as "critical," including remote code  execution or SQL injection. Other categories include "high" severity  problems, such as exposure of sensitive information, and "medium"  problems, such as cross-site scripting or request forgeries.
To be eligible to collect a reward, participants need to  comply with a set of rules that includes not publicly disclosing the  vulnerabilities without permission from the security office, not performing  tests that would disrupt others' services and checking a vulnerability only to  the extent that's needed to "effectively demonstrate the presence" of  the problem. Users who encounter private information are told to "cease  testing and submit a report immediately."
The security office doesn't want to deter people from  reporting problems that are outside the scope of the existing list of web  domains. However, said university spokesperson Brad Hayward, in an  article in student newspaper, the Stanford Daily, the bug bounty  idea is "an experimental program." Therefore, the thinking was  "to begin with a very limited set of systems to gauge the response,"  and then "gradually expand" the program over time to additional  domains.
The same article reported on a finding not covered by the  bug bounty program (it was out of domain), in which a student discovered that  by tweaking the student ID number when accessing a specific online program,  other students' data  —  including, in some cases, the social security number  —   could be viewed. In that situation, the program affected was Nolij Web, a  third-party content management system that has been used for the last decade to  host scanned files. Since 2015, the article reported, students who have  submitted FERPA requests were able to view their files through Nolij. The data  revealed might have included information related to students' ethnicity, legacy  status, home address, citizenship status, criminal status, standardized test scores,  personal essays and whether they applied for financial aid. Nolij was acquired  from Perceptive by Hyland in 2017; in December 2018 the company announced it would  cease development of the program and transition its customers to OnBase, its  own content system.
The bug bounty program was kicked off with a hackathon in  mid-January, in which participants submitted 20-plus reports and earned rewards  totaling $1,950. With the week, new reports came in, adding up to a payout of  $5,000.
        
        
        
        
        
        
        
        
        
        
        
        
            
        
        
                
                    About the Author
                    
                
                    
                    Dian Schaffhauser is a former senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning.