Santa Clara University's Playbook

Kristen Dietiker brought her internal stakeholders together around two goals:

1. Scalable security coverage in a decentralized environment
2. Student development through ethical, hands-on experience

1. Mission alignment

Tie the program to the university’s educational values.

2. Low barriers to adoption

Leadership responds well when:

• The program is private (only students/staff)
• Risk is controlled
• Costs are predictable
• HackerOne triages reports, ensuring capacity isn’t strained

The fact that HackerOne triages everything really allowed us to move forward.

3. Budget readiness

If budget is a concern, start small:

• A private bounty program
• A small invite-only group of students
• A modest reward pool
   

1. Create an application and eligibility process

Ensure students:

• Are in good academic standing
• Understand ethical testing practices
• Are committed to learning

2. Implement guardrails and governance

Partner early with:

• Academic integrity offices
• Finance (to avoid conflict-of-interest concerns)
• IT leadership
• Legal/compliance

3. Start with a narrow scope 

• Internet-accessible university assets
• Non-critical systems
• Faculty research environments with known visibility gaps

Address your IT team's concerns proactively before launch:

• Explain HackerOne’s triage and validation process
• Reinforce that teams receive verified findings, not raw noise
• Normalize that low- and medium-severity findings are expected
• Reframe findings as insight not failure

One of the big fears was that we’d be overloaded… but HackerOne triaging everything solved that.

SCU started with roughly a dozen student researchers.

Kristen's best practices:

• Keep the initial cohort small
• Provide onboarding and ethics training (Hacker101 modules, ethical hacking concepts)
• Hold an orientation workshop
• Set clear conduct and communication norms
• Celebrate participation and learning, not just valid findings

Students are incredibly resourceful and imaginative… they consider things we wouldn’t think about.

1.. Establish operating rhythms 

• Weekly or biweekly reviews of triaged results
• Clear IT point-of-contact
• Defined remediation timelines

2. Track student growth and program impact

Kristen plans to measure:

• Student skill progression
• Quality of contributions
• Impact on job searches (time to first job)
• Whether findings reveal coverage gaps

3. Expect a slow start

Private programs often ramp slowly–and that’s normal. Activity increases as:

• Scope expands
• Students gain confidence
• Peer word-of-mouth spreads

Because students see what central IT cannot, SCU students surfaced:

• Research cloud accounts
• One-off departmental tools
• Third-party and outsourced applications
• Forgotten or legacy systems

This transformed SCU's program into a distributed visibility and assurance layer.

This mindset shift is key for institutional adoption. Kristen’s message to other universities: “Don’t be afraid of the results. If you get a lot of reports, that’s good—it helps you get better.”

Encourage stakeholders to see findings as progress. Use results to:

• Justify additional resources or staffing
• Strengthen governance
• Expand scope
• Demonstrate responsible risk management
   

For Jesuit institutions like SCU—and mission-driven universities in general—connect the program to:

• Ethical technology practice
• Service to the community
• Professional formation
• Responsible innovation

This elevates bug bounty from a security tactic to an educational asset.

Once the foundation is stable, universities can:

• Scale scope: Include more systems or cloud accounts.
• Grow the researcher pool: Invite more students, staff, or graduate researchers.
• Shift to continuous learning loops: Offer workshops, capture-the-flag tie-ins, industry guest speakers, internship pathways.
• Transition into public programs (if desired).