Monash University has made its bug bounty public, two years after initiating an internal vulnerability disclosure program.
The move was announced by Bugcrowd and confirmed by Monash University CISO Dan Maslin in a LinkedIn post.
“As a final maturity step in a multi-year journey, this week at Monash University our bug bounty program became publicly joinable,” Maslin wrote.
“We value and support the work undertaken by the cyber security research community and appreciate it when researchers take the time to report potential security vulnerabilities to us - we welcome submissions from cyber security researchers globally.”
Offering up to $2500 for vulnerabilities, Monash University asks that researchers “be reasonable with the use of automated tools” (Origin Energy, whose bounty program went public earlier in the week, bans such tools outright).
Operating privately, the university said it has rewarded researchers for 27 vulnerabilities, and has attracted 75 members.
The university doesn’t plan routine disclosure of bugs researchers find, but said disclosure will be made “if the Monash University cyber risk and resilience team believes it is in the best interest of the general public."
"These will typically be done via CVE publication," it added.
The list of in-scope targets covers both websites and the university’s Android app. Since the app is geographically restricted, the bounty program warns researchers will probably need to present it with an Australian IP address.
As well as the university’s main website, Android and iOS mobile sites, the targets include its assessment, identity and file sharing sites, its Cisco-based VPN, all of which use Okta as their sign-in mechanism.
