Bugs are everywhere — and they’re ever-evolving. When internal IT teams track down and eliminate one bug, two more spring up in its place.
Rather than waiting for hackers to punch through and exploit these vulnerabilities, however, many organizations have turned to “bug bounty” initiatives, which encourage users to find and report critical bugs, often with the promise of a cash reward. Now MIT has jumped on the bandwagon and slapped down its own bug bounty program — but it’s a little off the beaten path.
According to SecurityWeek, the program is still in alpha testing and is only open to MIT affiliates who hold valid certificates. This group includes grads and undergrads but eliminates outside security firms, who are encouraged to report any found bugs to MIT’s security team.
So far, the bug bounty focuses on the student.mit.edu, atlas.mit.edu, learning-modules.mit.edu and bounty.mit.edu domains. If users find and report bugs, they’re asked to not disclose any information publicly until the vulnerability is patched, and they’re warned against using “noisy” scanners or conducting “disruptive” tests.
So what can bug trackers earn for their work? Cash — sort of. As Threatpost reports, the school is paying out in TechCASH, which can be used for food, books and various services near the university’s campus in Cambridge, Massachusetts.
The bug bounty website also makes it clear that TechCASH is not a “payment” for services and is awarded at the discretion of the school. In addition, bug hunters are not compensated for any time spent researching.
It’s also worth noting that the program has report restrictions: MIT is only willing to pay for details on remote code execution, SQL injection, authorization bypass, information leaks, cross-site scripting and cross-site request forgery vulnerabilities. DDoS, social engineering attacks and those vulnerabilities that require on-site access are off the table.
Bug Bounty Program: An Effective Repellent?
MIT isn’t the only big-name institution rolling out a bug bounty program. As noted by Tech Times, the U.S. Department of Defense is running their first-ever “Hack the Pentagon” campaign from April 18 to May 12. This program encourages white-hat hackers to break into specific systems in an effort to report on vulnerabilities. While hackers have to pass a background check and agree to follow the rules of the game — and can’t come from countries embargoed by the United States — there’s $150,000 up for grabs.
Then there’s the bug bounty design firm Bugcrowd, which creates bug-catching frameworks for other companies. As noted by eWEEK, Casey Ellis, the CEO of Bugcrowd, used to spend most of his time “explaining what a bug bounty was to people.” Today, the company has secured $15 million in Series B funding, which has allowed them to reach $24 million in total financing to date.
So what’s the bottom line? Hackers are looking for corporate bugs. If left alone, these bugs pose a serious risk. But if companies are willing to pay out — or offer meal tickets to hungry undergrads — there’s a huge market for finding and squashing these little critters before they see the light of day.