Monash University has become Australia’s first higher education institution to stand up vulnerability disclosure and bug bounty programs, resulting in a treasure-trove of actionable information for the price of a pentest.
The country’s largest university began experimenting with a Bugcrowd vulnerability disclosure program in August 2020 to better cover Monash’s half a million public IP addresses.
But the program has already expanded to a bug bounty program, with cyber security researchers offered financial rewards for uncovering any vulnerabilities on a number of important assets since March.
In the months since both programs were introduced as part of a wider cyber uplift program, the university has seen a 100-fold increase in actionable information, for the cost of a single traditional pentest.
Chief information security officer Dan Maslin told iTnews that the original vulnerability disclosure program came about from a desire to more “aggressively” search out cyber security weaknesses across the university’s IT estate.
“We’ve got a really, really big digital footprint. It’s quite a complete environment,” he said.
“And so we wanted to be able to, at scale, have confidence that we could quickly identify any weaknesses, and particularly in the research environments that are constantly changing.”
Coming from a traditional “point in time” approach with pentesting, the vulnerability disclosure program has given the university the confidence that vulnerabilities are being reported continuously, not just on a “one-off” basis.
“We wanted to move to something that was continuous and that would cover the breadth of the environment,” Maslin said, adding that the program also provides guaranteed testing from the Bugcrowd vetted researchers.
“They do the validation, they do the triaging, prioritisation, making sure that there’s a proof-of-concept for us, provide some general remediation advice and then retesting of the issue once we’ve resolved it.”
Crowdsourcing from a large group of researchers via Bugcrowd also has the added benefit of allowing the university to “test everything from web to infrastructure, building management systems [and] mobile applications”.
“It’s bringing that breadth of skills that you don’t typically have in a pentesting engagement, and because the scope is open… we’re getting the benefits of those broad skills in the researcher community,” he said.
The vulnerability disclosure program is “inclusive of all our domain names and all of our external IP ranges”, whereas the bug bounty program is more limited in scope, applying to only “some important assets”.
Financial rewards are offered to researchers for “any reports on those particular systems”, with the remainder of systems – which span the university’s research and work environments – covered by the public vulnerability disclosure program.
“We understand [the programs] to be the first for our sector in Australia, and in the world, we believe it’s a first for our sector in terms of the scale because absolutely everything’s in scope, and its giving us a good level of confidence,” Maslin said.
While the program has resulted in increased work for Maslin’s 21-strong cyber risk and resilience team, as there is now “a lot more information to go through”, there is also a lot more “triaging services and remediation advice” available.
“I would rather have the visibility and have a big list of things to fix than not have the visibility,” he said, adding that the proof-of-concepts provided by BugCrowd were particularly useful for helping to save time.
“If we had a report of a vulnerability, being able to prove to a system owner that something is exploitable [means] we’re not having to generate that proof-of-concept ourselves, so that definitely saves time.
“And Bugcrowd do facilitate the conversation with the researcher as well, making sure they’ve provided enough information, making sure it’s not a duplicate, again triaging and prioritising – they’re handling all of that.”
Maslin added that other similarly-sized universities were now looking at Monash’s program.