The Massachusetts Institute of Technology has launched an experimental bug bounty program to keep the school and research institution's web domains and software safe from exploit.
Bug bounties were once little more than a small window for a handful of researchers to disclose vulnerabilities in popular software and receive hall-of-fame credit in return.
Today, the cybersecurity landscape is very different — and as cyberattacks become a commonplace occurrence, many companies need to offer more than a pat on the back to entice researchers and security specialists to spend time ferreting out weaknesses and security flaws in products and services.
Google, Microsoft and Mozilla are only a handful of companies which now officer financial rewards for vulnerability disclosure. However, companies ranging from technology to airlines and automakers are all now jumping on the wagon to stamp out security issues before they are exploited.
No company is perfect and no matter how good in-house security teams are, there is no guarantee that every vulnerability will be found — something MIT readily admits.
The academic institute's new bug bounty program is not currently open to the public, and no outside rewards are being issued due to its testing status.
If you are an MIT affiliate — whether than be a student or academic staff — you can apply. Entrants are being urged not to read, write or exploit any private data they may access while testing for security flaws — and these tests should not disrupt university services.
Bug hunters are also being asked not to publicly disclose vulnerabilities "before they have been completely resolved."
Another request – albeit a peculiar-sounding one — is for users not to use "noisy"automated scanners while on the hunt.
A handful of domains are currently the targets for vulnerability discovery, include MIT's student portal, the Atlas service platform and the Stellar domain, which hosts learning modules. In addition, the bug bounty website itself is also on the list.
MIT is particularly interested in any flaw which could lead to remote code execution, SQL injections, authorization bypass vulnerabilities, information leaks, cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities. Issues including physical exploits or the use of social engineering techniques are not admissible.
At this early stage, rewards for students' hard work is only being offered in TechCASH, which is MIT's version of money for campus cards. However, should the bug bounty program prove valuable, it may later be opened to third-party researchers for rewards which go beyond the school's grounds.