The Bug Bounty program leaderboard will reset on Sept. 1 to allow for new students and staff an opportunity to compete on an even playing field. The leaderboard will now reset yearly on Sept. 1 in continuation of this level setting.
The Bug Bounty program leaderboard will reset on Sept. 1 to allow for new students and staff an opportunity to compete on an even playing field. The leaderboard will now reset yearly on Sept. 1 in continuation of this level setting.
The Stanford Bug Bounty program is an experiment in improving the university’s cybersecurity posture through formalized community involvement. Subject to the terms below, the Information Security Office is offering rewards for the responsible discovery and disclosure of system vulnerabilities.
Stanford reserves the right to not reward any submission if we so choose, and we will not provide compensation for time spent researching.
Bounties are awarded only to the first unique report of a previously unidentified vulnerability. Subsequent reports will be closed as duplicates and not eligible for a bounty.
Vulnerability severities and reward amounts are determined at the discretion of the Information Security Office. For instance, a cross-site scripting vulnerability on a static, unauthenticated website may be classified as less severe compared to a cross-site scripting vulnerability that has the potential to compromise user accounts.
Cumulative rewards in excess of $50 are taxable, and you must report it as income on your tax returns.
Severity | Reward Amount | Examples |
---|---|---|
Critical (P1) | $500-$1,000 | Remote code execution, SQL injection, XXE |
High (P2) |
$150-$450 | Significant authentication bypass, exposure of sensitive information |
Medium (P3) | $50-$100 | Cross-site scripting, cross-site request forgery |
Reward amounts and vulnerability severity classifications are subject to change at any time.
When conducting vulnerability research within the terms of this program, we consider such research to be:
You are expected, as always, to comply with all applicable laws. Any unauthorized activity outside the terms of this program will be subject to disciplinary and/or legal action pursuant to applicable laws and Stanford policies.
If at any time you have concerns or are uncertain whether your security research is consistent with the terms of this program, please submit your question via the vulnerability submission form.
Submit vulnerabilities via the submission form. In order to qualify for a reward, submissions must include details about the vulnerability, proof of concept/steps to demonstrate the vulnerability, your impression of its impact and severity, and a proposed fix. You can also submit any questions you have via the same form.
Out-of-scope submissions will be accepted and acted upon, but are not eligible for bounty. If you become aware of a vulnerability involving an out-of-scope domain, it is still appropriate to report the vulnerability via this program, and the same safe harbor provisions apply to protect those who responsibly report.
Last updated November 2020
Username | Reputation Points |
---|---|
|
|