Data Security

Students Invited to Hunt Down Online Vulnerabilities on Stanford Systems

• By Dian Schaffhauser
• 02/26/19

Stanford University has implemented a "bug bounty" program that pays people for finding vulnerabilities in the university's software systems. Set up by the Information Security office, the program is only open to Stanford students and full-time employees. Rewards range from $50 to $1,000, all paid in Amazon gift cards.

During a pilot phase, a limited number of domains and vulnerabilities are being considered for the payoffs. The bigger rewards go to anybody finding problems defined as "critical," including remote code execution or SQL injection. Other categories include "high" severity problems, such as exposure of sensitive information, and "medium" problems, such as cross-site scripting or request forgeries.

To be eligible to collect a reward, participants need to comply with a set of rules that includes not publicly disclosing the vulnerabilities without permission from the security office, not performing tests that would disrupt others' services and checking a vulnerability only to the extent that's needed to "effectively demonstrate the presence" of the problem. Users who encounter private information are told to "cease testing and submit a report immediately."

The security office doesn't want to deter people from reporting problems that are outside the scope of the existing list of web domains. However, said university spokesperson Brad Hayward, in an article in student newspaper, the Stanford Daily, the bug bounty idea is "an experimental program." Therefore, the thinking was "to begin with a very limited set of systems to gauge the response," and then "gradually expand" the program over time to additional domains.

The same article reported on a finding not covered by the bug bounty program (it was out of domain), in which a student discovered that by tweaking the student ID number when accessing a specific online program, other students' data — including, in some cases, the social security number — could be viewed. In that situation, the program affected was Nolij Web, a third-party content management system that has been used for the last decade to host scanned files. Since 2015, the article reported, students who have submitted FERPA requests were able to view their files through Nolij. The data revealed might have included information related to students' ethnicity, legacy status, home address, citizenship status, criminal status, standardized test scores, personal essays and whether they applied for financial aid. Nolij was acquired from Perceptive by Hyland in 2017; in December 2018 the company announced it would cease development of the program and transition its customers to OnBase, its own content system.

The bug bounty program was kicked off with a hackathon in mid-January, in which participants submitted 20-plus reports and earned rewards totaling $1,950. With the week, new reports came in, adding up to a payout of $5,000.