Bug Bounty Program pays off for cybersecurity at Virginia Tech
Not all hackers are up to no good.
In fact, one of the most effective ways to prevent a security breach is to test cybersecurity defenses in much the same way a hacker would, by looking for vulnerabilities in your infrastructure. The main difference, of course, is that instead of exploiting vulnerabilities, you repair them.
In the cybersecurity world, this technique is called “red teaming.” It’s also the idea behind the new Virginia Tech Bug Bounty Program, which gives students and employees the opportunity to play hacker and earn cash rewards for identifying any vulnerabilities, or “bugs,” in specific university-owned domains.
Launched in March 2021, the Bug Bounty program is helping the IT Security Office (ITSO) expand the university’s cybersecurity efforts while engaging the Virginia Tech community.
“Cybersecurity at Virginia Tech has historically focused on defense capabilities [a.k.a. ‘blue teaming’], such as monitoring outbound traffic and encrypting sensitive data,” explained Brad Tilley, director of security architecture for the ITSO. “Red teaming plays offense to the blue team’s defense, taking a more active approach to cybersecurity by seeking out and flagging potential vulnerabilities before bad actors have a chance to exploit them.” Used in tandem, blue teaming and red teaming offer the best chance of maintaining secure systems and minimizing damage from external and internal threats.
However, scouring code for vulnerabilities can be a time-consuming process, even for the most skilled security analysts, and the ITSO red team staff is relatively small. “We realized that in order to grow our offensive capabilities given our resource constraints, we needed to look outside our own office,” Tilley said.
And what better place to look than right outside their office window?
“Virginia Tech has a huge and largely untapped pool of talented students who have a natural curiosity, and the requisite training to make great bug hunters,” Tilley said. By formalizing the bug-hunting process under the guidance of the ITSO, the Bug Bounty Program offers an appropriate way for these students, as well as qualified Virginia Tech employees, to explore and improve their own red teaming skills while also providing a critical service to the university. “The incentive of a cash reward encourages participation,” added Tilley.
“Plus,” as program participant Daniel Schoenbach said, “Hacking is fun!” Schoenbach, a junior computer science and mathematics major, signed up after hearing about the program through the Cybersecurity Club. “The license to experiment was what originally drew me to the program, even more than the offer of a reward,” he said. “I enjoy the challenge of using programs in ways their designers never intended — and the thrill of doing something I'm not supposed to be able to do. But unlike a criminal hacker, my goal is to improve security. After all, I use these systems, too.”
Only actively enrolled students and current faculty and staff can participate in the program, and interested persons must first register with the ITSO on the Bug Bounty Program website.
As long as they play by the rules, participants are protected by safe harbor provisions that recognize that, while what they are doing is technically hacking, they are doing so with the purpose of identifying bugs and not taking advantage of any vulnerabilities. While the ITSO will accept reports for any vulnerability on any “vt.edu” resource, bounties are limited to domains that the ITSO has defined. Participants must limit their testing only to the extent necessary to demonstrate that a bug likely exists — at that point, they must report the bug and let the ITSO team take it from there.
"The ITSO is very careful about ensuring all testing is done in accordance with existing state and federal computer crime laws," emphasized Randy Marchany, university IT security officer and director of the IT Security Lab. He noted that any activity outside of scope or that circumvents the program rules is illegal, adding that "participants who follow the program's rules regarding scope, testing, and reporting and comply with applicable laws will be protected."
Schoenbach said that operating within the confines of the rules actually provides him a sense of freedom and peace of mind that he wouldn’t otherwise enjoy. “[Outside the program] when I see something suspicious, I might risk liability by investigating further, so I just have to move on with a little less trust than before. If there was a vulnerability, it goes unreported and unfixed.”
With a formalized Bug Bounty Program, he can do something about a problem he finds. “I have the freedom to dig deeper,” Schoenbach said. “If I don't find anything, I have a little more trust that the system is secure. If I do find a vulnerability, I can report it, get the bug fixed, and earn a little something for my effort. You get to have the same fun as the bad guys while helping instead of hurting. Who doesn't love that?”
The Bug Bounty Program has already proved successful for improving the university’s cybersecurity, said Tilley. To date, participants have helped the ITSO identify and correct at least four critical bugs and a handful of lesser vulnerabilities. “As more students and employees become aware of the program, we expect more bugs to be found,” Tilley said. Without the program, these bugs might otherwise go undetected and unrepaired.
Schoenbach added, “Virginia Tech's Bug Bounty program and others like it reflect a pragmatic view of computer security: threatening to punish everyone for hacking will only scare away people trying to help — the bad guys were never going to listen anyway. I believe in this approach and was glad to see the ITSO does too.”
The ITSO is actively recruiting participants for the Bug Bounty Program. Complete information including registration, rules, and a list of the domains within scope can be found at https://bugbounty.aws.cloud.iso.vt.edu/. Any questions about the program can be directed to the Bug Bounty team at firstname.lastname@example.org.