Playbook

Santa Clara University's Playbook: How Universities Can Launch a Student-Driven Bug Bounty Program

Designed for mission-driven university CISOs navigating security coverage challenges with limited internal resources. Inspired by Kristen Dietiker and Santa Clara University.

Why This Playbook Exists

Higher education security teams operate in decentralized environments with limited resources, making it difficult to scale effective vulnerability discovery. This playbook exists to help universities address those challenges in practice by operationalizing a student-driven bug bounty program. Inspired by Kristen Dietiker’s early success with SCU’s bug bounty program, this framework shows how SCU used intentional scoping, student researcher engagement, and responsible disclosure workflows to scale coverage without adding headcount. University CISOs also have a unique opportunity to align security outcomes with institutional goals.

Get Started

What You'll Learn

  • Build the business case for a private, student-driven bug bounty program
  • How to launch with tight scope, low risk, and predictable costs
  • Strategies to engage students ethically while improving campus security visibility

Step by Step

Step 1: Align on the problem you're solving

Kristen brought her internal stakeholders together around two goals:

  1. Scalable security coverage in a decentralized environment
  2. Student development through ethical, hands-on experience

Step 2: Secure leadership buy-in

1. Mission alignment

Tie the program to the university’s educational values.

2. Low barriers to adoption

Leadership responds well when:

  • The program is private (only students/staff)
  • Risk is controlled
  • Costs are predictable
  • HackerOne triages reports, ensuring capacity isn’t strained

The fact that HackerOne triages everything really allowed us to move forward

3. Budget readiness

If budget is a concern, start small:

  • Private bounty program
  • Small invite-only group of students
  • Modest reward pool

Step 3: Design a student-first program

1. Create an application and eligibility process.

Ensure students:

  • Are in good academic standing
  • Understand ethical testing practices
  • Are committed to learning

2. Implement guardrails and governance.

Partner early with:

  • Academic integrity offices
  • Finance (to avoid conflict-of-interest concerns)
  • IT leadership
  • Legal/compliance

3. Start with a narrow scope.

  • Internet-accessible university assets
  • Non-critical systems
  • Faculty research environments with known visibility gaps

 

Step 4: Prepare internal IT teams

Address concerns proactively before launch:

  • Explain HackerOne’s triage and validation process
  • Reinforce that teams receive verified findings, not raw noise
  • Normalize that low- and medium-severity findings are expected
  • Reframe findings as insight not failure

One of the big fears was that we’d be overloaded… but HackerOne triaging everything solved that.

Step 5: Launch with a small, motivated student researcher cohort

SCU started with roughly a dozen student researchers.

Best practices:

  • Keep the initial cohort small
  • Provide onboarding and ethics training (Hacker101 modules, ethical hacking concepts)
  • Hold an orientation workshop
  • Set clear conduct and communication norms
  • Celebrate participation and learning, not just valid findings

Students are incredibly resourceful and imaginative. They consider things we wouldn’t think about.

Step 6: Operationalize the program for sustainability

1. Establish operating rhythms.

  • Weekly or biweekly reviews of triaged results
  • Clear IT point-of-contact
  • Defined remediation timelines

2. Track student growth and program impact. Kristen plans to measure:

  • Student skill progression
  • Quality of contributions
  • Impact on job searches (time to first job)
  • Whether findings reveal coverage gaps

3. Expect a slow start. Private programs often ramp slowly–that’s normal. Activity increases as:

  • Scope expands
  • Students gain confidence
  • Peer word-of-mouth spreads
     

Step 7: Use insights to improve campus visibility

Because students see what central IT cannot, SCU students surfaced:

  • Research cloud accounts
  • One-off departmental tools
  • Third-party and outsourced applications
  • Forgotten or legacy systems

This transformed SCU's program into a distributed visibility and assurance layer.

 

Step 8: Shift from "Fear of Findings" to "Learning from Findings"

This mindset shift is key for institutional adoption. Kristen’s message to other universities: 

Don’t be afraid of the results. If you get a lot of reports, that’s good—it helps you get better.

Encourage stakeholders to see findings as progress. Use results to:

  • Justify additional resources or staffing
  • Strengthen governance
  • Expand scope
  • Demonstrate responsible risk management
     

Step 9: Embed the program into university culture

For Jesuit institutions like SCU—and mission-driven universities in general—connect the program to:

  • Ethical technology practice
  • Service to the community
  • Professional formation
  • Responsible innovation

To Kristen, bug bounty is not only an effective security tactic but also an educational asset.

Step 10: Expand and evolve over time

Once the foundation is stable, universities can:

  • Scale scope: Include more systems or cloud accounts.
  • Grow the researcher pool: Invite more students, staff, or graduate researchers.
  • Shift to continuous learning loops: Offer workshops, capture-the-flag tie-ins, industry guest speakers, internship pathways.
  • Transition into public programs (if desired).