Voir en

français

Computer Security: Pay per vulnerability

|

Updated on 13.05.2024: The text has been adapted to remove some confusion created by its wording with regards to the Bug Bounty programme (stage 3).

______

Remember CERN’s WhiteHat Challenge, in which we gave people outside CERN permission to hack into the Organization as long as they abided by a short set of rules and in which CERN trained its own staff and users in penetration testing and vulnerability scanning? While our “Day of the open firewall” to ease the life of penetration tests was of course only an April Fool’s hoax, we are still and seriously aiming to bring vulnerability scanning and penetration testing to the next (professional) level…

Actually, vulnerabilities lurk everywhere. In the operating system of your desktop PC, laptop or smartphone; in the software programs you run; in the applications and code you develop; in the web pages, web frameworks and web servers you use. Critical for assessing the risk of each vulnerability is the exploitability: can an attacker gain direct benefit from that vulnerability for their evil deed? Which hurdles need to be overcome beforehand? In that sense, computing services directly connected or visible to the internet are the most risky, as each potential vulnerability can be directly exploited by attackers (who are legion on the internet). Hence, it is essential that this attack sphere – all servers with openings in CERN’s outer perimeter firewall towards the internet – is as protected as possible and all known vulnerabilities are eradicated. That’s why CERN created the WhiteHat Challenge giving computer science and IT security students as well as interested CERN staff and users the chance to hack into CERN.

Now, in order to be even more thorough and delve even deeper, in order to find more (sophisticated) vulnerabilities, and just in time for the 2024 spring clean, the Computer Security team decided to tap into a larger pool of professionals and engage with ethical hackers and launched a three (and a half) staged approach towards improving the security of CERN’s Internet presence and beyond. Subject to ground rules, code of ethics, and scoping, the hackers are permitted to penetrate into CERN’s infrastructure (as outlined in the contractual scope and ethically without causing any damage) in order to identify vulnerabilities and weaknesses:

  1. In this first stage, we aim at a broad vulnerability scanning by external professionals of the whole Internet presence of CERN (and by an eager internal student in parallel) in order to identify the “low hanging fruits” (if any) and get them fixed;
  2. Afterwards, during the second stage, an in-depth penetration testing of key and core services performed by ethical hackers shall verify that our protective means are solid and robust, and that more complex attack vectors yield into nothing;
  3. Once stages 1 and 2 are terminated, and all findings are mitigated, the Computer Security Team will team up with a larger group of ethical hackers through a so-called “Bug Bounty Program”, like HackerOne or BugBountySwitzerland.

While the costs for the first two stages are free of charge and covered by its flat budget, the CERN Computer Security Team would like to trigger discussing the idea to cross-charge the so-called “Bug Bounty” ─ as “paid per vulnerability found” ─ to the owner of the corresponding vulnerable system. It is this Bounty which creates an incentive for an ethical hacker reporting first a finding as each finding supports their living: For example 100 CHF for identifying an easy cross-site scripting problem; 500 CHF for obtaining root access to a server; 1000 CHF for finding credentials that allow them to move laterally towards other internal services; 5000 CHF for compromising a service that allows them to configure other services (like Puppet, Git, LDAP or Active Directory).

However, that Bounty also creates an incentive for you! Like the shared responsibility for computer security at CERN, the Bug Bounty costs will also be shared, and shall be born by your (group’s or departmental) budget if you own, manage or run a computing resource, service, system, device or website that is found by an ethical Bug Bounty hacker to be vulnerable or weak, and if that finding is linked to negligence of general security standards (bad programming practices, unpatched systems, suboptimal handling of secrets and passwords, nit using CERN’s Single Sign-On etc.), … Time for incentive to get it right from the beginning! It’s up to you whether you are ready to pay any incurring costs of vulnerable resources found by an ethical hacker, or to invest a bit more in getting your system and service, your devices and websites up to general standards. The CERN Computer Security Team is happy to help you with this.

_________

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.