“@CERN #BugBounty Program launches today! Did you know that the WWW as we know it today was created at CERN? Thanks to this fundamental invention, you now have the opportunity to help @CERN Computing uncover vulnerabilities. With a maximum bounty of 210 CHF rewarded to those who spot and present groundbreaking findings. Join the program to make a cosmic impact and illuminate the black holes of CERN’s digital realm. #Cybersecurity”. This is the announcement that the CERN-chosen security company has published to its hacker community to invite them to start hacking CERN.
After an all-encompassing computer security scan for vulnerabilities in CERN’s web sphere by another external company, we have launched the next stage: the Bug Bounty. While the security scan was intended to be broad – targeting about 2500 web servers with openings in CERN’s outer perimeter firewall towards the internet and nearly 7500 websites that are open and unprotected by CERN’s SSO – the Bug Bounty will poke deep. While the automatic scan produced more than 35k unverified findings, where the majority were (wrongly!) linked to outdated versions (but with backported security fixes!), as well as several dozen more critical problems like (mainly!) cross-site scripting and a few not-so-problematic command line injection vulnerabilities, the Bug Bounty will discover, verify and validate more complicated exploits that could potentially lead to a takeover of CERN’s IT infrastructure as a whole. For instance, breaking into websites in order to obtain access to the underlying server’s operating system, manipulating a badly protected database in order to access confidential information or (possibly with the help of the former two!) compromising web servers in order to get a stronghold in CERN’s internal network and then move laterally through it for more juicy targets (like CERN’s AD/LDAP servers).
In parallel, the autumn will also see numerous students from, for the first time, the Deggendorf Institute of Technology in Germany and, once again, the St. Pölten University of Applied Sciences in Austria, who will probe CERN’s web sphere as part of CERN’s WhiteHat Challenge. In the past, this challenge has already found a multitude of sophisticated vulnerabilities and misconfigurations.
As stated in the announcement, the Bug Bounty programme comes (as its name suggests!) with a cost to CERN in order to create the necessary incentives for hackers to participate. Scaling with the severity of their findings (as rated by the “Common Vulnerability Scoring System” CVSS), the Bug Bounty hackers are paid 2-to-the-power-of-the-finding’s-CVSS-score (2CVSS) Swiss francs for each of their findings (so up to 1024 CHF for boss-level findings – and probably more in the future). However (lucky you!), contrary to what was said in our controversial Bulletin article on this subject earlier this year, we will not yet cross-charge the costs to the owner of the vulnerable website. Nevertheless, we will politely inform them of the corresponding costs in order to give them an idea of the price tag that negligence, lack of training or pure ignorance entails for CERN. And this is just the minimum price tag; a malicious attacker will not ask for a bounty but will instead dig deeper up to the damage level, to either sabotage CERN, exfiltrate data or ransom CERN to demand much more money than a Bug Bounty costs. So, let’s keep CERN’s costs at bay. Keep your websites secure!
________
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.