UKM

Security Bug Bounty

join.ukm.my
Program Active

Help Us Stay Secure

We welcome security researchers to identify and report vulnerabilities on our platform. If you discover a valid security issue, we will recognize your contribution and reward you fairly.

Submit a Report Read the Rules

Reward Structure

All rewards are paid in USD via wire transfer or cryptocurrency (USDC/USDT). Final amounts depend on exploitability and business impact.

Critical
$5,000
Remote code execution, SQL injection leading to data exfiltration, authentication bypass, or full account takeover on admin systems.
High
$2,000
Sensitive data disclosure, stored XSS with significant impact, privilege escalation, or CSRF on sensitive actions.
Medium
$500
Reflected XSS, information disclosure of non-sensitive data, missing security headers with exploitable impact.
Low
$100
Missing best-practice configurations, clickjacking without sensitive action, verbose error messages.

Note: Reports must include a working proof-of-concept (PoC) and clear reproduction steps to be eligible for a reward. Duplicate or previously known issues are not eligible.

Full Scope

All systems, services, and applications directly operated by or on behalf of join.ukm.my and Universiti Kebangsaan Malaysia (UKM) are in scope unless explicitly listed in the Out of Scope section below. We encourage testing across the entire stack, from web applications to infrastructure.

๐ŸŒ
Web Applications & Domains join.ukm.my, *.join.ukm.my, ukm.my, *.ukm.my, and all sub-paths, subdomains, and microsites operated by UKM.
๐Ÿ“ฑ
Mobile Applications Official UKM iOS and Android applications published under the UKM developer account (e.g., UKM Mobile, i-UKM, student portals).
๐Ÿ”Œ
APIs & Backend Services All REST, GraphQL, SOAP, gRPC, JSON-RPC, and internal/private APIs used by join.ukm.my and related UKM services.
๐Ÿ”
Authentication & Identity Login portals, Single Sign-On (SSO), OAuth, SAML, LDAP/Active Directory, Kerberos, password reset flows, session management, JWT handling, and Multi-Factor Authentication (MFA/2FA) systems.
๐Ÿ–ฅ๏ธ
Infrastructure & Cloud Servers, virtual machines, containers, cloud instances (AWS, Azure, GCP, or on-premise), DNS records, CDN configurations, load balancers, reverse proxies, and SSL/TLS termination points directly serving UKM assets.
๐Ÿ—„๏ธ
Databases & Data Stores MySQL, PostgreSQL, MSSQL, MongoDB, Redis, Elasticsearch, and any other databases or caches containing UKM data, including exposed database ports or misconfigured S3 buckets/object storage under UKM control.
๐Ÿ“ง
Email & Messaging Systems SMTP servers, mail gateways, email templates used for notifications, and any email-based authentication or verification flows (e.g., OTP via email, magic links).
๐Ÿ“
File Upload & Document Management Application document uploads (transcripts, IC/passport), profile photos, media galleries, assignment submissions, and cloud storage integrations (Google Drive, OneDrive, Dropbox) configured for UKM use.
๐Ÿ’ณ
Payment & Financial Systems Application fee payment gateways, tuition fee portals, invoice generation, refund processing, and any financial transactions processed through UKM platforms.
๐ŸŽ“
Student & Staff Portals i-UKM, UKMfolio, UKM Learning Management System (LMS), UKM Student Information System (SIS), e-Pejabat, HR portals, and other internal/external administrative portals.
๐Ÿ›ก๏ธ
Network & VPN UKM VPN concentrators, Wi-Fi infrastructure (eduroam, UKM-WiFi), firewalls, intrusion detection/prevention systems (IDS/IPS), and campus network segmentation.
๐Ÿ”—
Third-Party Integrations Third-party services where UKM has configured or customized the integration (e.g., Google Workspace, Microsoft 365, Zoom, Webex, library databases, Turnitin, SAP systems) if the vulnerability stems from UKM's specific configuration or exposed credentials.
๐Ÿ’พ
Backup & Disaster Recovery Backup servers, tape archives, snapshot systems, disaster recovery sites, and backup software interfaces containing UKM data.
๐Ÿค–
IoT & Smart Campus Devices Smart campus devices, IoT sensors, building management systems (BMS), access control systems, CCTV/NVR interfaces, and smart classroom equipment connected to UKM networks.
๐Ÿ“œ
Source Code & Secrets Exposed source code repositories (Git, SVN), API keys, private tokens, database connection strings, cloud credentials, or hardcoded secrets found in public code repositories, binaries, or configuration files belonging to UKM.
๐Ÿ–จ๏ธ
Print & Internal Services CUPS print servers, IPP endpoints, internal file shares (SMB/NFS), intranet sites, and internal tools accessible from the campus network or VPN.
Out of Scope
  • Third-party services where UKM is merely a customer with no custom configuration (e.g., generic Google search, standard GitHub pages not configured by UKM).
  • Social engineering, phishing, vishing, or physical attacks against UKM staff or facilities.
  • Denial of Service (DoS) / Distributed Denial of Service (DDoS) attacks of any kind.
  • Brute force attacks on authentication systems (including credential stuffing, password spraying, or dictionary attacks).
  • Reports from automated vulnerability scanners without manual verification, a tailored proof-of-concept, and clear impact assessment.
  • Issues requiring physical access to a victim's device or man-in-the-middle attacks on networks not controlled by UKM.
  • Self-XSS, XSS requiring browser extensions, or best-practice violations without a demonstrated exploitable security impact.
  • Missing security headers (e.g., CSP, HSTS, X-Frame-Options) without a working exploit or demonstrated bypass.
  • Missing SPF/DKIM/DMARC records on domains that do not send email.
  • Publicly known CVEs in software unless you can demonstrate a working exploit in the UKM environment with tangible impact.
  • Rate limiting issues unless they lead to a tangible security impact (e.g., account enumeration via timing attacks).
  • UI/UX bugs, typos, or content spoofing without a security impact.
  • Active directory enumeration from within the network unless it leads to privilege escalation or credential compromise.
  • Testing on production systems that results in data loss, service degradation, or unauthorized modification of live data. Please request a staging/test environment if needed.

Rules of Engagement

  • Only test against systems listed in the Scope section above.
  • Do not access, modify, or delete other users' data without explicit permission.
  • Stop testing immediately if you access non-public data and report it.
  • Do not perform any action that could degrade the availability of our services.
  • Give us reasonable time (90 days) to remediate before publicly disclosing.
  • Provide a clear proof-of-concept, reproduction steps, and impact assessment.
  • Do not share vulnerability details with third parties without our written consent.
  • Comply with all applicable local and international laws.

Safe Harbor

We consider security research conducted in accordance with this policy to be authorized. We will not pursue civil or criminal legal action against researchers for unauthorized access if the research is conducted in good faith, reported promptly, and does not cause harm. If legal action is initiated by a third party, we will make it known that your actions were authorized.

How to Report

Email security@join.ukm.my
PGP Key Available on request
Response Time Within 72 hours
Language English / Bahasa Melayu

Required Information

To help us triage quickly, please include:

  • Target URL / endpoint
  • Step-by-step reproduction instructions
  • Proof-of-concept code, screenshots, or video
  • Impact assessment and suggested remediation (optional)
  • Your preferred handle for Hall of Fame (optional)

Hall of Fame

We publicly thank researchers who have helped us improve our security. No entries yet โ€” you could be the first!