Programs Education UPM Study Portal (study.upm.edu.my)
Active Program $5,000 flat · validated critical Student portal · LMS · SSO · APIs · full mesh

UPM Study Portal Bug Bounty: $5,000 Each Validated Critical — Full Scope, Kill Chain Required

study.upm.edu.my is the integrated study portal for UPM (Universiti Putra Malaysia), one of Malaysia’s top educational institutions. The platform covers student records, LMS integrations, course enrollment, fee payment gateways, SSO authentication, academic transcripts and results, hostel bookings, exam scheduling, library systems, research repositories, staff portals, and administrative dashboards — collectively the entire UPM-operated perimeter is in-scope with no shrunken carve-out appendix. Every confirmed critical validated with a reproducible exploitation chain pays exactly $5,000 USD. Acceptance requires both a numbered attack chain narration and evidence that the exploitation actually succeeds (replayable scripts, unauthorized transcript access logs, SSO bypass traces, payment manipulation proofs, privilege escalation demonstrations — prose alone collapses payouts).

BountyHunter Editorial

Security Research Desk

Published
Reading time9 min
StatusLive · Accepting reports
Start Hunting View Scope
Critical payout $5,000 USD · each validated report
Avg. triage ~48h education pattern
Data at risk Extreme records · payments · PII
Scope all UPM-operated stacks
Proof bar Chain + PoC kill chain · attack succeeds
01 — Overview

Academic surface worth stress-testing

UPM Study Portal serves as the central digital gateway for thousands of students and staff across Universiti Putra Malaysia — handling authentication, enrollment, fee processing, grade management, hostel allocations, and administrative workflows. The platform exposes a wide range of interconnected services: REST/GraphQL APIs, SSO endpoints (SAML, OAuth), payment redirections, file upload and attachment handling, LMS integrations, library search, exam timetabling, research repositories, and real-time notifications. Each of these integrations is a potential pivot point for privilege escalation, mass PII exfiltration, or payment manipulation — and every validated critical earns exactly $5,000 USD.

In scope: study.upm.edu.my and all UPM-operated hosts, services, APIs, bots, signing services, staging shards, mobile app endpoints, integrations, and partner callback surfaces.
Legal floor: financial crime, harassment, facilitating academic dishonesty — always off-limits; bounty is for defensive security research in coordination with UPM’s published disclosure channels.

02 — Context

Why probe the UPM portal?

A Malaysian educational portal processes tens of thousands of PII records, real-money fee transactions, and privileged academic decisions daily. Any breach that chains across these surfaces can expose students and staff to irreversible harm — which is exactly why $5,000 per validated critical exists.

PII blast radius

Student full names, IC numbers, addresses, parent contact details, academic records, financial aid data — chained bugs often expose PII silently until someone maps them.

No fake micro-scope list

If UPM can patch/configure it — from portal JS to infra config — testers can escalate until severity lands or triage shuts with reasoning.

Responsible disclosure halo

Demonstrated exploits with airtight chains earn coordinated publication credit after fixes ship.

03 — Reward

$5,000 per validated critical

There is exactly one bounty amount on this ledger: validated critical findings pay $5,000 USD each. Novel low-severity items may qualify for goodwill credit but not this stipend. Paid rows require attacker-readable kill chains and replayable exploitation artefacts (Burp exports, parallel request harnesses, SSO token forgeries, signing traces…).

Critical $5,000 USD ea.

Unauthorized access to or modification of student/staff records at scale; SSO bypass granting admin-level access across UPM’s portfolio; payment gateway manipulation causing silent fee reroute; mass PII exfiltration of academic or personal data; persisted RCE in portal or LMS control plane; break-glass access to signing keys or database credentials.

  • Cross-user grade/transcript manipulation, enrollment logic desync, or duplicate credit
  • Payment callback abuse causing silent fee reroute or duplicate credit at scale
  • Break-glass SSRF egress from UPM infra to lateral cloud or on-premise systems
Operational truth: If you can’t yet prove the exploitation lands inside UPM’s network boundary, tighten your staging mirror until HTTP/trace logs objectively show attacker success — triage shelves “might work” theories.
04 — Scope inventory

Illustrative map (non-exhaustive)

These rows do not impose limits — they’re shorthand for tagging reports. Anything UPM hosts, signs, proxies, parses, verifies, or integrates counts as bounty ground even if undocumented here. Treat “not listed” ≠ “out-of-scope”: default stance is open scope across UPM’s digital perimeter.

Surface Class Critical payout
study.upm.edu.my, portal HTML/JS/CSS, mobile endpoints, *.upm.edu.my Web · CDN $5,000 / validated bug
Student APIs, LMS integrations (e.g. e-learning), SSO endpoints (SAML, OAuth, session cookies) Backend $5,000 / validated bug
Fee payment gateway, checkout redirects, receipt generation, financial aid systems Payments $5,000 / validated bug
Enrollment, hostel booking, exam scheduling, transcript delivery systems Academic $5,000 / validated bug
Library search, repository APIs, research grants management Library $5,000 / validated bug
Admin dashboards, staff portals, management consoles Admin $5,000 / validated bug
Mobile app endpoints, notification services, WebSocket feeds Mobile $5,000 / validated bug
Partner integrations, callback receivers, webhook processors, file upload handlers Integrations $5,000 / validated bug
Hosting infrastructure, edge config, CDN config, DNS management panels Infra $5,000 / validated bug
05 — Policy

Full-scope policy — no “oops, shrink-wrapped” appendix

UPM’s bounty refuses the industry habit of publishing a fat scope table and a quiet appendix that exfiltrates half the platform as “out-of-scope” third-party dependencies. The only exclusions are universal legal/ethical bright lines:

  • No crimes (unauthorized access to unrelated third-party systems via UPM as a vector still counts).
  • No intentional harm to unrelated civilians or students (proof-of-concept on test accounts).
  • No academic dishonesty facilitation (grade manipulation PoC is fine; leaking real transcripts is destructive).

If UPM touches it technically — even an undocumented microservice that only appears in a HAR trace — it’s bounty-eligible until triage rules it out.

Legal floor (not bounty shrink): laundering, indiscriminate draining of unrelated payment venues, mass student harassment — always off-limits even if endpoints tempt you.
06 — Rules

Rules of engagement

  1. Prove exploitation success. Provide scripts, HARs, parallel request captures, or signing traces showing data/state impact — not paper analysis alone.
  2. Number your hops. Session/API primitive → escalation → grade/payment/record integrity break.
  3. Minimize real-user blast radius. Prefer mirrors, low-value accounts, and reversible payloads when demonstrating theft-class bugs.
  4. Private coordination first. Use official intake on study.upm.edu.my before public threads.
  5. Duplicate fairness. First qualifying PoC wins; followers close acknowledged-only.
07 — Submit

How to submit a report

Use the security / vulnerability disclosure contact published on https://study.upm.edu.my/ (security@upm.edu.my is a common guess — verify on the live site before emailing). Template below.

Report Template 
# Title
[Critical][Exploit-Proven] <tight title>

# Executive summary — student/staff or financial impact in one paragraph

# Kill chain (numbered steps)
1. <session acquisition / API discovery>
2. <privilege escalation / boundary crossing>
3. <impact trigger that violates policy>

# Exploitation evidence
• HAR / PCAP / Burp export with annotations
• Reproduced-with-script showing cross-user data access
• Signing or token trace if SSO/crypto primitive involved

# Remediation suggestion (optional but appreciated)
• Short description of expected fix orientation

# Attachments (zipped, <10 MB, no malware)
- PoC script.py, capture.har, logs/
08 — Example

Python vignette · pair with reproducible HTTPS exploit replay

Pseudocode illustrating an IDOR transcript access — meaningless without attaching HAR/logs proving an unauthorized request retrieves another student’s academic record inside UPM Study Portal.

Python · illustrative misuse 
# BUGGY: verifies only session presence, skips transcript ownership bind
import requests

BASE = "https://study.upm.edu.my/api/v1"
SESSION = "eyJhbGciOiJIUzI1NiIs..."  # valid student session

def fetch_transcript(student_id):
    resp = requests.get(
        f"{BASE}/transcripts/{student_id}",
        headers={"Cookie": f"upm_session={SESSION}"}
    )
    return resp.json()

# MISSING: server-side check that session.student_id == requested student_id
# attacker iterates student_id → exfiltrates arbitrary academic records
for i in range(S1234001, S1234500):
    data = fetch_transcript(i)
    if "cgpa" in data:
        print(i, data["cgpa"])
09 — FAQ

Frequently asked questions

Is anything actually “out of scope” besides illegal stuff?

No discretionary product carve-outs — only universal legal/ethical lines (crime, harming unrelated civilians, ransomware, facilitating academic dishonesty, etc.). If UPM hosts, proxies, signs, or documents a surface technically, testers can escalate until triage disqualifies specifics.

Do speculative write-ups without a working exploit get paid?

No. $5K critical payouts require both a complete kill-chain narrative and evidence of a successful attack path (replayable artifacts). Theory-only stays in triage backlog without compensation.

Are staging / dev environments fair game?

Yes whenever UPM labels or operates them.
Demonstrate realism by mirroring configs/data where possible.

Duplicates?

Fastest validated chain + reproducible exploitation wins treasury; follower tickets close acknowledged only.

Lower severities rewarded?

Not under this $5K-flat critical playbook — escalate impact until it meets critical thresholds or accept non-monetary acknowledgement.

Critical chain + working exploit = $5,000

No narrow scope appendix — document the attack, prove it lands, file privately.

Submit a Report Read the Scope