What’s covered
UTAR is one of Malaysia’s largest private universities, enrolling roughly 25,000 students across undergraduate and postgraduate programmes. The utar.edu.my portal aggregates student information systems (SIS), LMS/e-learning platforms, fee payment gateways, exam timetabling, academic transcript generation, hostel management, library systems, research repositories, staff intranets, and administrative dashboards. Database access and admin panel compromise are the highest-priority targets — each earns the full $5,000 bounty when validated with a working attack chain.
In scope materially: every HTTP host on utar.edu.my operated by UTAR, API endpoints, SSO integration (SAML/OAuth flows), payment gateway connectors, database servers accessible from UTAR infra, student and staff portal renderers, static deploy paths, session signing secrets, library system integrations, exam scheduling modules, hostel booking flows, research repository systems, mobile-responsive endpoints, and administrative dashboards.
Civil exclusions only: blackmail, mass student harassment, brute forcing wholly unrelated external bank accounts. Those bans are universal — not SKU-level scope fences.
1️⃣ Narrative kill chain tying root cause → exploit steps → observable impact 2️⃣ Proof the attack succeeds (replayable scripts, fixture logs, video with signatures, scripted harness). Narratives without a working exploitation path are graded below payout threshold.
Why probe UTAR?
Flat $5K critical payouts
No spreadsheet bingo — validated critical exploits with reproducible payloads earn exactly $5,000 USD.
Database & admin priority
SQL injection, exposed DB interfaces, SSRF to internal databases, and admin panel takeovers are the highest-value targets — instantly critical.
Responsible disclosure halo
Demonstrated exploits with airtight chains earn coordinated publication credit after fixes ship.
$5,000 per validated critical
There is exactly one bounty amount on this ledger: validated critical findings pay $5,000 USD each. Novel low-severity items may qualify for goodwill credit but not this stipend. Paid rows require attacker-readable kill chains and replayable exploitation artefacts (Burp exports, parallel request harnesses, SQLi dump captures, SSO token forgeries, signing traces…).
Unauthorized database access (SQLi, exposed DBMS, backup leaks); admin panel takeover granting full system control; SSO bypass granting admin-level access across UTAR’s portfolio; payment gateway manipulation causing silent fee reroute; mass PII exfiltration of academic or personal data; persisted RCE in portal or LMS control plane; break-glass access to signing keys or database credentials.
- Read/write access to student records database (grades, PII, enrolment data)
- Admin dashboard authentication bypass or privilege escalation
- Payment callback abuse causing silent fee reroute or duplicate credit at scale
- Break-glass SSRF egress from UTAR infra to lateral cloud or on-premise systems
Illustrative map (non-exhaustive)
These rows do not impose limits — they’re shorthand for tagging reports. Anything UTAR hosts, signs, proxies, parses, verifies, or integrates counts as bounty ground even if undocumented here. Treat “not listed” ≠ “out-of-scope”: default stance is open scope across UTAR’s digital perimeter.
| Surface | Class | Critical payout |
|---|---|---|
utar.edu.my, portal HTML/JS/CSS, *.utar.edu.my |
Web · CDN | $5,000 / validated bug |
| Student APIs, LMS integrations (e.g. WBLE), SSO endpoints (SAML, OAuth, session cookies) | Backend | $5,000 / validated bug |
| Fee payment gateway, checkout redirects, financial aid systems | Payments | $5,000 / validated bug |
| Internal databases, admin dashboards, exam results, transcript generation | Database | $5,000 / validated bug |
| Hostel management, library systems, research repositories, staff portals | Admin | $5,000 / validated bug |
Everything UTAR operates — no exclusions list
Sandbox student portals, canary databases, Grafana for campus systems, Telegram/bot hooks for admin alerts, partner LMS or library integrations fronted by UTAR — all eligible when critical impact reproduces. Database access and admin panel compromise are the primary targets.
- Vanity subdomains CNAME’d into UTAR edge — show DNS/traffic proof in your write-up.
- Mobile app SDKs or widgets UTAR ships to students/staff
- Research grant management systems operated under utar.edu.my
- Internal database endpoints, phpMyAdmin, exposed DBMS ports, backup files
- IoT or smart-campus callbacks verified with UTAR-issued secrets
Rules of engagement
- Prove exploitation success. Provide scripts, HARs, parallel request captures, or signing traces showing data/state impact — not paper analysis alone.
- Number your hops. Session/API primitive → escalation → database/admin/payment integrity break.
- Minimize real-user blast radius. Prefer mirrors, low-value accounts, and reversible payloads when demonstrating theft-class bugs.
- Private coordination first. Use official intake on utar.edu.my before public threads.
- Duplicate fairness. First qualifying PoC wins; followers close acknowledged-only.
How to submit a report
Use the security / vulnerability disclosure contact published on https://utar.edu.my/ (security@utar.edu.my is a common guess — verify on the live site before emailing). Template below.
# Title
[Critical][Exploit-Proven] <tight title>
# Executive summary — database/admin/student impact in one paragraph
# Severity self-classification → must map to UTAR critical definitions above
## Attack chain narrative (numbered, no gaps)
1. Preconditions (session, API key tier, endpoint, account ID)
2. Entry primitive — HTTP/WS line + signature headers
3. Pivot(s) → privilege/data/payment escalation
4. Final hop → DB exfil / admin takeover / payment diversion / infra takeover equivalent
## Successful exploitation evidence
• Scripted replay showing record/payment impact
• Paired HAR/PCAP demonstrating cross-user data access
• SQLi dump output or database connection proof
• Signing or token trace if SSO/crypto primitive involved
# Remediation suggestion (optional but appreciated)
• Short description of expected fix orientation
# Attachments (zipped, <10 MB, no malware)
- PoC script.py, capture.har, logs/Python vignette · pair with reproducible exploit replay
Pseudocode illustrating admin panel session replay leading to database access — meaningless without attaching HAR/logs proving an unauthorized request retrieves protected data inside utar.edu.my.
# BUGGY: admin panel trusts session cookie without IP/scope binding
import requests
BASE = "https://utar.edu.my/admin/api/v1"
SESSION = "eyJhbGciOiJIUzI1NiIs..." # captured admin session
def export_students(db_table):
resp = requests.get(
f"{BASE}/export/{db_table}",
headers={"Cookie": f"utar_admin_session={SESSION}"}
)
return resp.json()
# MISSING: server-side binding of session to IP, user-agent, or scope
# attacker replays stolen admin session → extracts database rows
for table in ["students", "staff", "payments"]:
data = export_students(table)
print(table, len(data), "records")Frequently asked questions
Is anything actually “out of scope” besides illegal stuff?
No discretionary product carve-outs — only universal legal/ethical lines (crime, harming unrelated civilians, ransomware, facilitating academic dishonesty, etc.). If UTAR hosts, proxies, signs, or documents a surface technically, testers can escalate until triage disqualifies specifics.
Do speculative write-ups without a working exploit get paid?
No. $5K critical payouts require both a complete kill-chain narrative and evidence of a successful attack path (replayable artifacts). Theoretical write-ups are not compensated under this program.
Are database-related findings automatically critical?
Exposed database endpoints, SQL injection with data exfiltration proof, or admin panel access that leads to database control are critical by default. The $5K reward applies when the kill chain from initial vector to database impact is complete and reproducible.
Can I test on live UTAR systems or should I mirror?
Both. A self-hosted staging mirror reduces noise and avoids tripping rate-limit/WAF alerts. However, live reproduction with low-impact student accounts and minimal data extraction is accepted — as long as your PoC does not degrade UTAR services or expose real student PII unnecessarily.
How are duplicates handled?
First reporter with a complete kill-chain and reproducible PoC receives the $5K bounty. Subsequent near-identical submissions receive acknowledgement-only credit. Substantially different attack vectors against the same underlying flaw may be treated as separate findings — disclose in your narrative.