Monash University Bug Bounty

Monash University is committed to protecting the confidentiality, integrity and availability of its information and digital platforms. At Monash, we value and support the work undertaken by the security research community and appreciate it when researchers take the time to report potential security vulnerabilities to us. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our technology systems. Good luck, and happy hunting!

Rules of engagement

• All email addresses belonging to researchers should be your @bugcrowdninja.com.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
• Do not modify data that does not belong to you.
• You’ll be testing production systems, Please be reasonable with the use of automated tools.
• Tools that may result in a Denial Of Service (DoS) are prohibited.
• Please be sure to check domain records to confirm Monash University ownership; Do not test assets not owned and controlled by Monash University.

Public Disclosure:

Monash University does not permit public disclosure at this point in time. Exceptions will be made if the Monash University Cyber Risk & Resilience Team believes it is in the best interest of the general public and these will typically be done via CVE publication. In this situation, we would reach out to the researcher to ask if they would like to be acknowledged and named in the CVE record.

Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.