White hats for CERN

CERN is under attack. Permanently. Even right now. In particular, the CERN web environment, with its thousands of websites and millions of webpages, is a popular target for evil-doers as well as for security researchers.


Usually, their attacks are unsuccessful and fade away over time. Sometimes, however, they are successful and manage to break into a CERN website or web server… It is imperative that we learn about our weaknesses before others do – and fix them!

Hackers with bad intentions are usually named “black hats” as they misuse their power to cause destruction or downtime via any weakness they can find. “Grey hats” are more moderate and might just have some fun with the weaknesses they find, for example by putting naked teddy bears or a personal message (such as “I hacked U”) on the compromised website. Last but not least, “white hats” report their findings directly to us and suggest that we take action (see here for a few examples) – and we quickly comply! We want more white hats, so in 2015 we teamed up with a number of universities worldwide and created the CERN WhiteHat Challenge. Following dedicated lectures on ethics and security assessment techniques, students of those universities studying cyber security are entitled to perform penetration tests on CERN’s websites. It is a triple win as the students get to practise on live production systems, their professors don’t need to create an artificial testing environment, and CERN learns early on about vulnerabilities and weaknesses in its webpages. This has worked out well so far: students from the Universities of Rotterdam, Kent and FH St. Pölten have already reported their findings to us. Other universities are preparing for their students to take part this semester.

You might be wondering why we limit this programme to external people. We don’t! The CERN WhiteHat Challenge is also open to CERN employees and users who want to develop their penetration testing and vulnerability scanning skills. No in-depth technical expertise is needed – all you need is motivation. However, it is mandatory to take dedicated training courses covering ethics, web technologies, and an introduction to penetration testing and exploitation. This initial training cycle is complemented by in-depth courses on different subjects (e.g. cross-site scripting, command line injection) given at regular intervals.

If you are a member of CERN’s personnel and want to help us secure our web environment by becoming an official CERN white hat, please subscribe to this e-group and we will invite you to one of the next white hat courses in autumn 2016.

For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report

Access the entire collection of Computer Security articles here.

by Stefan Lueders, Computer Security Team