White Hats for Science is the Berkeley Lab implementation of the DOE Vulnerability Disclosure Program (VDP). White Hats for Science program provides an authorized disclosure process for members of the public to report potential security vulnerabilities or issues on systems and applications within the Lab's networks. It streamlines the process by allowing you to report vulnerabilities more directly, by simply sending an email to [email protected]
Why do we need vulnerability disclosures?
From the infinite scale of the universe to the infinitesimal scale of subatomic particles, researchers at Lawrence Berkeley National Laboratory are advancing the scope of human knowledge and seeking science solutions to some of the greatest problems facing humankind. Scientific excellence and an unparalleled record of achievement have been the hallmarks of this Laboratory since it was founded in 1931. The Lab does this by bringing together multidisciplinary teams of researchers from across the globe to conduct open science research.
At the heart of these collaborations is a secure and safe environment that ensures research isn't disrupted by compromised networks or systems. In order to reduce information security risks, the Lab conducts ongoing vulnerability assessments. The Lab may also scan as needed for vulnerabilities that are known to be under attack or of particular interest to attackers. To help provide a secure environment to advance science and augment our efforts, we invite the public to report vulnerabilities that might not have been revealed in our internal tests.
Which systems/services/applications may be reported?
- All systems and applications connected to the Lab's network may be reported to [email protected]
- Please include description of the vulnerability, its location and potential impact; technical information needed to reproduce; any proof of concept code etc in your report.
- Berkeley Lab respects privacy and reporters may submit the vulnerability disclosures anonymously as well. Though, we’d encourage reporters to voluntarily provide contact information.
Which vulnerability tests are unauthorized?
There are certain types of vulnerability tests that could result in operational harm for the Lab or expose systems that would allow a malicious person to get access. The following types of vulnerability tests are not authorized as part of the White Hats for Science program:
Denial of Service (DoS) Testing: A DoS attack aims to make a machine or network resource unavailable to the intended user. DoS tests could prevent Lab employees from conducting their day to day operations, and it could disrupt research efforts.
Social engineering test (for e.g. phishing tests): Social engineering is a term used for a broad range of malicious activities accomplished through human interactions. These attacks attempt to trick users into making security mistakes or giving away sensitive information. Phishing simulations in particular can prove to be a distraction for Lab employees conducting rigorous scientific research.
Tests that require an account or more than public access for testing. Any testing that first requires an account be created or access granted to a system or application are out of scope of this testing. This includes testing that causes an account requests, subsequent testing is not authorized, even if the account request is approved.
Other unauthorized tests: Exploitation of a vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability would be considered unauthorized forms of testing as part of this program. Testing beyond a minimal amount could harm Lab systems and networks.
Berkeley Lab prohibits the disclosure of any personally identifiable information discovered to any third party.
What will LBL do when we receive a vulnerability report
We appreciate your interest in the White Hats for Science program and thank you for helping advance rigorous scientific research. We will review and assess reported vulnerabilities immediately. We aim to get back to reporters within 24 hours of a vulnerability disclosure. We will also disclose the steps taken to remediate this vulnerability to our reporters.
Does LBL offer bounties?
A common practice for vulnerability disclosure programs is to offer rewards (bounties) for the responsible disclosure of a vulnerability. Reporters will not receive payment for submitting vulnerabilities and that by submitting, reporters waive any claims to compensation. At the minimum at this time, we would like to recognize contributions of those participating in White Hats for Science program for helping ensure that scientists at the Lab have a secure environment to conduct research.
Kudos
2024-04-15: Thank you Ashish Rai for responsible disclosing and keeping science safe for the lab.
2024-02-28: Thank Ariel Rachamim and Omri Inbar for responsibly disclosing and keeping science safe for the lab.
2024-01-30: Thank you Aryawardhan Singh for your continued help rooting out misconfigurations.
2024-01-29: Thank you again to Aryawardhan Singh for their help identifying misconfigured websites.
2024-01-26: Much appreciation to Aryawardhan Singh for identifying misconfigured repositories.
2024-01-16: Thank you to Saied Khater! For responsibly disclosing and keeping science safe in the lab.
2023-10-24: Kudos and thank you to Jaleel Hasan for helping to ensure LBL documentation has appropriate visibility settings.
2023-09-01: Thank you Charan Akiri for protecting science by responsibly reporting information leakage.
2023-07-26: Many thanks to Jayson Zabate - THEOS Cyber Solutions for keeping an eye out for potential issues!
2022-05-24: A big thank you to Daniel Rhea for responsible reporting and helping science to stay safe!
Questions
Would you like a shoutout? Email [email protected] and we will make sure your contributions are acknowledged on this page.
Please email [email protected] if you have any questions about the Program.
You can use https://go.lbl.gov/vdp to link to this page.
