MIT launches campus lunch bug bounty

The Massachusetts Institute of Technology has joined the growing number of large organisations and agencies to offer a bug bounty.

The program is in an experimental phase and is open to current MIT students and affiliates, and includes a limited number of domains.

Those submitting severe bugs will have money dropped into MIT accounts that can be spent around campus, and will get to keep their MIT Kerberos identity once they leave the ivory walls for the real world.

Researchers offering bugs now however will not receive a reward until the program leaves alpha testing and officially launches.

Punters must probe for bugs with eyes squinted to prevent reading, writing, or indeed accessing private data.

"The MIT Bug Bounty program is an experimental program aiming to improve MIT's online security and foster a community for students to research and test the limits of cyber security in a responsible fashion," the program organisers say.

"As thanks for helping keep the community safe, we are offering rewards in TechCASH for the responsible disclosure of severe vulnerabilities."

Bloggers must hold off dumping bug data online before patches are pushed.

Students wishing to cover the day's beer tab should avoid doing so by merely pointing scanners at MIT infrastructure as the noise generated is likely to annoy security wonks who request hunters also avoid causing disruption.

Hackable domains include MIT's student portal, Atlas, and learning-modules.mit.edu properties. Bugs including remote code execution, SQL Injection, and cross-site scripting qualify for the free lunch.

It follows Uber and General Motors launched bug bounty programs and the US Department of Defence with its Hack the Pentagon challenge. ®