In fact, one of the most effective ways to prevent a security breach is to test cybersecurity defenses in much the same way a hacker would, by looking for vulnerabilities in your infrastructure. The main difference, of course, is that instead of exploiting vulnerabilities, you repair them.
In the cybersecurity world, this technique is called “red teaming.” It’s also the idea behind the new Virginia Tech Bug Bounty Program, which gives students and employees the opportunity to play hacker and earn cash rewards for identifying any vulnerabilities, or “bugs,” in specific university-owned domains.
Launched in March 2021, the Bug Bounty program is helping the IT Security Office (ITSO) expand the university’s cybersecurity efforts while engaging the Virginia Tech community.
“Cybersecurity at Virginia Tech has historically focused on defense capabilities [a.k.a. ‘blue teaming’], such as monitoring outbound traffic and encrypting sensitive data,” said Brad Tilley, director of security architecture for the ITSO. “Red teaming plays offense to the blue team’s defense, taking a more active approach to cybersecurity by seeking out and flagging potential vulnerabilities before bad actors have a chance to exploit them.”
Used in tandem, blue teaming and red teaming offer the best chance of maintaining secure systems and minimizing damage from external and internal threats.
However, scouring code for vulnerabilities can be a time-consuming process, even for the most skilled security analysts, and the ITSO red team staff is relatively small. “We realized that in order to grow our offensive capabilities given our resource constraints, we needed to look outside our own office,” Tilley said.
And what better place to look than right outside their office window?
“Virginia Tech has a huge and largely untapped pool of talented students who have a natural curiosity and the requisite training to make great bug hunters,” Tilley said. By formalizing the bug-hunting process under the guidance of the ITSO, the Bug Bounty Program offers an appropriate way for these students, as well as qualified Virginia Tech employees, to explore and improve their own red teaming skills while also providing a critical service to the university. “The incentive of a cash reward encourages participation,” added Tilley.
“Plus,” as program participant Daniel Schoenbach said, “Hacking is fun!” Schoenbach, a junior computer science and mathematics major, signed up after hearing about the program through the Cybersecurity Club.
“The license to experiment was what originally drew me to the program, even more than the offer of a reward,” he said. “I enjoy the challenge of using programs in ways their designers never intended — and the thrill of doing something I’m not supposed to be able to do. But unlike a criminal hacker, my goal is to improve security. After all, I use these systems, too.”
Only actively enrolled students and current faculty and staff can participate in the program, and interested persons must first register with the ITSO on the Bug Bounty Program website.
As long as they play by the rules, participants are protected by safe harbor provisions that recognize that, while what they are doing is technically hacking, they are doing so with the purpose of identifying bugs and not taking advantage of any vulnerabilities.
The Bug Bounty Program has already proved successful for improving the university’s cybersecurity, said Tilley. To date, participants have helped the ITSO identify and correct at least four critical bugs and a handful of lesser vulnerabilities.
“As more students and employees become aware of the program, we expect more bugs to be found,” Tilley said. Without the program, these bugs might otherwise go undetected and unrepaired.”
