The Virginia Tech Bug Bounty Program

The Virginia Tech Bug Bounty program is an experiment to improve the university’s cybersecurity stance through formalized community involvement. Subject to the terms below, the VT IT Security Office will be offering rewards for the responsible discovery and disclosure of security vulnerabilities. Participants must agree to abide by the rules of the program and register in order to submit bugs. Registration is now open.

Scope

Only the following domains are in scope. More domains will be added as the program grows:

  • *.ag.vt.edu
  • *.arch.vt.edu
  • *.banner.vt.edu
  • *.bursar.vt.edu
  • *.cc.vt.edu
  • *.cirt.vt.edu
  • *.cns.vt.edu
  • *.code.vt.edu
  • *.coe.vt.edu
  • *.cs.vt.edu
  • *.ece.vt.edu
  • *.emporium.vt.edu
  • *.eng.vt.edu
  • *.es.vt.edu
  • *.finaid.vt.edu
  • *.flsi.vt.edu
  • *.hr.vt.edu
  • *.hume.vt.edu
  • *.iso.vt.edu
  • *.it.vt.edu
  • *.its.vt.edu
  • *.lib.vt.edu
  • *.middleware.vt.edu
  • *.nis.vt.edu
  • *.pamplin.vt.edu
  • *.pki.vt.edu
  • *.president.vt.edu
  • *.research.vt.edu
  • *.security.vt.edu
  • *.uc.vt.edu
  • *.vetmed.vt.edu
  • *.vpas.vt.edu
  • *.vtf.vt.edu
  • *.vtti.vt.edu
  • *.w2k-dev.vt.edu
  • *.w2k-test.vt.edu

Examples of in scope vulnerabilities:

  • Cross site request forgery (CSRF)
  • Cross site scripting (XSS)
  • Remote code execution (RCE)
  • Sensitive information disclosure
  • SQL injection (SQLi)

Rules

To be eligible for bounty, all testing must be performed within the scope described above. Out of scope submissions will be accepted and acted upon, but are not eligible for bounty. If you become aware of a vulnerability involving an out of scope domain, it is still appropriate to report the vulnerability via this program, and the same safe harbor provisions apply to protect those who responsibly report.

The rules of the program:

  • Participants must be current students, faculty, staff or employees of Virginia Tech.
  • Any involvement you have with an in scope domain that could create a conflict of interest renders that domain out of scope for you.
  • For employees, participation in the program must not interfere with job responsibilities and should be conducted outside of work hours.
  • Do not disclose any vulnerabilities without explicit written permission from the Virginia Tech IT Security Office.
  • Do not perform any tests that will disrupt services or impair others' ability to use those services.
  • Do not use automated scanners.
  • If a vulnerability provides unintended access to data, do not access the data beyond the minimum extent necessary to effectively demonstrate the presence of a vulnerability.
  • If you encounter any sensitive data during testing such as Personally Identifiable Information (PII), Protected Health Information (PHI), credit card data, or other confidential information, stop and submit a report immediately.
  • Testing must not violate Virginia Tech policies or any applicable laws.
  • To the furthest extent possible, only interact with test accounts you own or accounts with explicit permission from the account owner.

Rewards

Virginia Tech reserves the right to not reward any submission if we so choose, and we will not provide compensation for time spent researching. Bounties are awarded only to the first unique report of a previously unidentified vulnerability. Subsequent reports will be closed as duplicates and not eligible for a bounty. Vulnerability severity and reward amounts are determined at the discretion of the Information Technology Security Office (ITSO). Reward amounts and vulnerability severity classifications are subject to change at any time. Rewards in excess of $50 are taxable, and participants must report it as income on tax returns.

Class Amount
Critical $250.00
High $125.00
Medium $50.00

Safe Harbor

When registered participants are conducting vulnerability research within the terms of this program, we consider such research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate legal or disciplinary action against you.
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls.
  • Exempt from restrictions in Virginia Tech policies that would otherwise prohibit conducting such security research, and we waive those restrictions on a limited basis for research performed pursuant to this program.
  • Lawful, helpful to Virginia Tech's cybersecurity program, and conducted in good faith.

You are expected, as always, to comply with all applicable laws. Any unauthorized activity outside the terms of this program will be subject to disciplinary and/or legal action pursuant to applicable laws and Virginia Tech policies. If at any time you have concerns or are uncertain whether your security research is consistent with the terms of this program, please email your question to The Bug Bounty Team.

Register to Participate

Submit a Bug