The Bug Bounty program leaderboard will reset on Sept. 1 to allow for new students and staff an opportunity to compete on an even playing field. The leaderboard will now reset yearly on Sept. 1 in continuation of this level setting.
The Stanford Bug Bounty program is an experiment in improving the university’s cybersecurity posture through formalized community involvement. Subject to the terms below, the Information Security Office is offering rewards for the responsible discovery and disclosure of system vulnerabilities.
Scope
Only the following domains are in-scope:
- bi.stanford.edu
- accessories.stanford.edu
- Active Directory
- win.stanford.edu
- Cardinal Print
- cardinalprintcenter.stanford.edu
- printer interface
- *.sahr.stanford.edu
- ecm.stanford.edu
- fasa.stanford.edu
- secureportal.stanford.edu
- regadmin.stanford.edu
- ice.stanford.edu
- iron.stanford.edu
- campusmap.stanford.edu
- code.stanford.edu
- accounts.stanford.edu
- authority.stanford.edu
- idp.stanford.edu
- login.stanford.edu
- mydevices.stanford.edu
- spdb.stanford.edu
- sponsorship.stanford.edu
- stanfordwho.stanford.edu
- stanfordyou.stanford.edu
- vault.stanford.edu (new)
- who.stanford.edu
- workgroup.stanford.edu
- Kerberos authentication (new)
- Stanford VPN (new)
- Stanford LDAP (new)
- Stanford Network Access Control (SUNAC)(new)
- netdb.stanford.edu (new)
- mailman.stanford.edu (new)
Examples of in-scope vulnerabilities:
- Remote Code Execution (RCE)
- SQL injection
- XML External Entity Injection (XXE)
- Authorization bypass/escalation
- Sensitive information leaks
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
Out-of-scope vulnerabilities:
- Any bug that does not pose a substantial or demonstrable security risk
- Clickjacking, open redirects, or lack of security headers
- Denial of service (DOS)
- Social engineering
- Physical exploits of our servers or network
- Local network-based exploits such as DNS poisoning or ARP spoofing
Rules
- In order to take part in this program, you must be a Stanford student (undergraduate/graduate), postdoc, or full-time benefits eligible employee.
- For employees, participation in the bug bounty program must not interfere with job responsibilities and should be conducted outside of work hours.
- Any involvement you have with an in-scope domain that could create a conflict of interest renders that domain out-of-scope for you.
- Do not publicly disclose any vulnerabilities without explicit written permission from the Information Security Office at Stanford University.
- Do not perform any tests that will disrupt services or impair others' ability to use them.
- Do not use automated scanners.
- To be eligible for bounty, all testing must be performed within the scope described above. Out-of-scope submissions will be accepted and acted upon, but are not eligible for bounty.
- If you become aware of a vulnerability involving an out-of-scope domain, it is still appropriate to report the vulnerability via this program, and the same safe harbor provisions apply to protect those who responsibly report.
- Access does not equate to authorization. If a vulnerability provides unintended access to data, do not access the data beyond the minimum extent necessary to effectively demonstrate the presence of a vulnerability. If you encounter any Moderate or High Risk data during testing (such as Personally Identifiable Information (PII), Protected Health Information (PHI), credit card data, or other confidential information), cease testing and submit a report immediately.
- Testing must not violate the Stanford Honor Code, Fundamental Standard, Admin Guide Chapter 6.2.1, or any applicable laws.
- To the furthest extent possible, only interact with test accounts you own or accounts with explicit permission from the account owner.
Rewards
Stanford reserves the right to not reward any submission if we so choose, and we will not provide compensation for time spent researching.
Bounties are awarded only to the first unique report of a previously unidentified vulnerability. Subsequent reports will be closed as duplicates and not eligible for a bounty.
Vulnerability severities and reward amounts are determined at the discretion of the Information Security Office. For instance, a cross-site scripting vulnerability on a static, unauthenticated website may be classified as less severe compared to a cross-site scripting vulnerability that has the potential to compromise user accounts.
Cumulative rewards in excess of $50 are taxable, and you must report it as income on your tax returns.
| Severity | Reward Amount | Examples |
|---|---|---|
| Critical (P1) | $500-$1,000 | Remote code execution, SQL injection, XXE |
|
High (P2) |
$150-$450 | Significant authentication bypass, exposure of sensitive information |
| Medium (P3) | $50-$100 | Cross-site scripting, cross-site request forgery |
Reward amounts and vulnerability severity classifications are subject to change at any time.
Safe Harbor
When conducting vulnerability research within the terms of this program, we consider such research to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate legal or disciplinary action against you;
- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in the Stanford Administrative Guide 6.2.1 that would otherwise prohibit conducting such security research, and we waive those restrictions on a limited basis for research performed pursuant to this program; and
- Lawful, helpful to Stanford's cybersecurity posture, and conducted in good faith.
You are expected, as always, to comply with all applicable laws. Any unauthorized activity outside the terms of this program will be subject to disciplinary and/or legal action pursuant to applicable laws and Stanford policies.
If at any time you have concerns or are uncertain whether your security research is consistent with the terms of this program, please submit your question via the vulnerability submission form.
Get Started
Submit vulnerabilities via the submission form. In order to qualify for a reward, submissions must include details about the vulnerability, proof of concept/steps to demonstrate the vulnerability, your impression of its impact and severity, and a proposed fix. You can also submit any questions you have via the same form.
Out-of-scope submissions will be accepted and acted upon, but are not eligible for bounty. If you become aware of a vulnerability involving an out-of-scope domain, it is still appropriate to report the vulnerability via this program, and the same safe harbor provisions apply to protect those who responsibly report.
Bug Bounty Stats
109 submissions
$13,035 total rewards
Leaderboard
Last updated November 2020
| Username | Reputation Points |
|---|---|
|
|
|
