Students uncovered over 20 cybersecurity flaws across 13 Stanford websites at The Stanford Bug Bounty Program’s inaugural hackathon on Jan. 19. The Bug Bounty Program is a dual initiative to improve Stanford’s cybersecurity and encourage the responsible application of cybersecurity skills outside the classroom.
Bug bounty programs are run by companies around the country to encourage individuals to report bugs in company sites and receive compensation.
Hosted by the Stanford Information Security Office (ISO) and Jack Cable ’22, the event introduced Stanford students and eligible employees to the University’s own bug bounty program, in which they can remotely search for and independently report vulnerabilities, or flaws in software that allow attackers to gain unauthorized access to a system or information.
Program participants can receive rewards ranging from $50 to $1,000 per vulnerability based on a vulnerability’s severity, as determined by the ISO. During the launch hackathon, students uncovered over 20 vulnerability reports with rewards totaling $1,950.
“Over the rest of the weekend, reports continued to pour in, and rewards have totaled over $5,000 in less than a week since the launch of the Bug Bounty Program,” said program manager Mike Takahashi.
ISO works with teams managing the systems to quickly remediate the reported vulnerabilities. Applied Cyber President Paul Thomas Crews Jr. ’18 ’19, who attended the launch event, said the process was “a very quick turnaround” and vulnerabilities were “almost immediately identified” by senior administration.
“The websites in scope are focused on dealing with more sensitive data,” Cable said. “We’re looking for anything that could harm the security at Stanford … or expose user information like names, date of birth, class information, social security.”
While neither Cable nor Crews could disclose the specific detected vulnerabilities, both individuals said the University is interested in publishing public information about the types of vulnerabilities once they have been resolved.
“It’s a great opportunity to both secure Stanford and find vulnerabilities so they can’t be exploited by malicious hackers,” Cable said. “Plus the learning curve for bug bounty isn’t that steep, and it helps people get started in cybersecurity and gain practical experience on Stanford systems.”
Stanford’s ISO reached out to Cable over the summer to initiate an official bug bounty program for the 2018-2019 school year. Cable learned how to code in seventh grade by watching CS 106A: “Programming Methodologies” lectures on YouTube and discovered an interest for cybersecurity during his sophomore year of high school.
He said his first interaction with a bug bounty program occurred on a cryptocurrency site when he found that individuals could send negative amounts of money to each other, essentially stealing.
“I knew nothing about security then, but I knew it was a bad thing,” he said. “That company had something called a bug bounty program, and I reported that vulnerability.”
Since then, Cable has reported vulnerabilities to companies including Google, Facebook, Uber and the U.S. Department of Defense. He is currently a member of Applied Cyber, which became an official club earlier this year and plans to further collaborate with the Bug Bounty Program.
“We’re hoping to host some of our own internal events to work on this with students and get them involved in bug bounties,” said Head of Women in Applied Cyber (WAC) Kate Stowell ’18 M.S. ’19.
According to Cable, Stanford is one of the first universities to start a bug bounty program, taking inspiration from the Massachusetts Institute of Technology, which launched a similar program a couple years ago.
“A sentiment that’s been expressed is there seems to be a gap between [the] student body and the administration regarding infrastructure and security concerns,” Crews said. “I think with some of the vulnerabilities that had been identified independently by students in the past, there wasn’t a clear way to report that. This really solves that.”
Contact Udani Satarasinghe at usatara ‘at’ stanford.edu.
This article has been altered to fix a misspelling. The interviewee’s name is Paul Thomas “Crews” Jr., not Cruz. The Daily regrets this error.