(Blue and) White hats: Penn State launches bug bounty program

Credit: Penn StateCreative Commons

Editor’s Note: Only students approved to participate in the upcoming Student Vulnerability Reporting Program may perform security experiments on Penn State networks.

Gaining unauthorized access is in direct violation of Penn State Policy AD20 that states, "Conducting or attempting to conduct security experiments or security scans involving or using University Computer and Network Resources without the specific authorization of the Security Operations and Services Director is prohibited."

UNIVERSITY PARK, Pa. — Thanks to the efforts of a recent graduate from the College of Information Sciences and Technology (IST), Penn State is preparing to launch a pilot program where students can identify and report cyber vulnerabilities.

Approved students will soon be able to enroll in the Student Vulnerability Reporting Program (SVRP), where they can scour some Penn State systems in search of vulnerabilities. In addition to earning hands-on experience with cybersecurity and helping maintain the integrity of Penn State’s networks, students will also be rewarded with LionCash and awards if their efforts are successful. Michael Lubas, who graduated in May with a degree in security and risk analysis (SRA), was the driving force behind the program. He first explored the idea during his IST 440W class. The course, taught by Alison Murphy, focuses on problem-based approaches to real-life issues facing organizations. 

As he looked into the idea further, Lubas realized that SRA students like him could help protect Penn State from external threats. Throughout the program, students learn how to detect these vulnerabilities and could help the University combat them in a legitimate way. “We use these [Penn State computer] systems all day for our coursework, so if we see something wrong, we should be able to report it,” he explained.

With Lubas as the team lead of his IST 440W group, which included Patrick August, Carmen Caputo, Tianyue Ma, Austin Miller and Steven Burns, they collaborated with the Office of Information Security (OIS) to pursue the project.

In the ever-evolving world of cybersecurity, OIS is charged not only with keeping Penn State’s systems secure from cyber threats but also finding ways to engage stakeholders across the University to increase cybersecurity awareness and collaboration. The creation of this student program aligns perfectly with those strategic goals. 

“We think this [bug bounty program] is a win-win,” said Donald Welch, Penn State’s Chief Information Security Officer. “If they find vulnerabilities, we can patch them and the students get useful experience they can bring to their post-graduation employers.”

To be eligible for the program, participants must be Penn State students and be approved through an application process. After gaining approval, security researchers will have access to certain Penn State domains and will have the ability to run tests and report any vulnerabilities they find.

This type of university-wide program is common; many organizations have similar programs, such as Google’s Vulnerability Reward Program (VRP), which rewards users who find bugs on Google and any supporting sites and extensions.

Penn State’s program, however, is not open to the public. Before accessing the SVRP, a user must log in using their Penn State credentials, which limits individuals outside the Penn State community from accessing the University’s systems.

During the fall semester, the pilot program will be launched and students will be able to submit applications. “If it’s beneficial, we’re planning on making it permanent,” Welch said.

With the potential to improve the University’s cybersecurity long-term, Lubas hopes future students will be able to gain real-world experience. “I’m really proud of this project,” Lubas said. “I’m happy that Penn State’s culture is engaging the students for their help.”

Currently, any investigations into the Penn State networks violates the University policy AD20. Only students who have been accepted into the Student Vulnerability Reporting Program will be authorized to do so. If you have any questions, contact OIS at or visit for more information.


Last Updated May 18, 2017