White Hats for Science is the Berkeley Lab implementation of the DOE Vulnerability Disclosure Program (VDP).  White Hats for Science program provides an authorized disclosure process for members of the public to report potential security vulnerabilities or issues on systems and applications within the Lab's networks. It streamlines the process by allowing you to report vulnerabilities more directly, by simply sending an email to [email protected]

Why do we need vulnerability disclosures? 

From the infinite scale of the universe to the infinitesimal scale of subatomic particles, researchers at Lawrence Berkeley National Laboratory are advancing the scope of human knowledge and seeking science solutions to some of the greatest problems facing humankind. Scientific excellence and an unparalleled record of achievement have been the hallmarks of this Laboratory since it was founded in 1931. The Lab does this by bringing together multidisciplinary teams of researchers from across the globe to conduct open science research. 

At the heart of these collaborations is a secure and safe environment that ensures research isn't disrupted by compromised networks or systems. In order to reduce information security risks, the Lab conducts ongoing vulnerability assessments. The Lab may also scan as needed for vulnerabilities that are known to be under attack or of particular interest to attackers. To help provide a secure environment to advance science and augment our efforts, we invite the public to report vulnerabilities that might not have been revealed in our internal tests.

Which systems/services/applications may be reported?

  1. All systems and applications connected to the Lab's network may be reported to [email protected] 
  2. Please include description of the vulnerability, its location and potential impact; technical information needed to reproduce; any proof of concept code etc in your report. 
  3. Berkeley Lab respects privacy and reporters may submit the vulnerability disclosures anonymously as well. Though, we’d encourage reporters to voluntarily provide contact information. 

Which vulnerability tests are unauthorized? 

There are certain types of vulnerability tests that could result in operational harm for the Lab or expose systems that would allow a malicious person to get access. The following types of vulnerability tests are not authorized as part of the White Hats for Science program:

  1. Denial of Service (DoS) Testing: A DoS attack aims to make a machine or network resource unavailable to the intended user. DoS tests could prevent Lab employees from conducting their day to day operations, and it could disrupt research efforts. 

  2. Social engineering test (for e.g. phishing tests): Social engineering is a term used for a broad range of malicious activities accomplished through human interactions. These attacks attempt to trick users into making security mistakes or giving away sensitive information. Phishing simulations in particular can prove to be a distraction for Lab employees conducting rigorous scientific research. 

  3. Tests that require an account or more than public access for testing. Any testing that first requires an account be created or access granted to a system or application are out of scope of this testing. This includes testing that causes an account requests, subsequent testing is not authorized, even if the account request is approved. 

  4. Other unauthorized tests: Exploitation of a vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability would be considered unauthorized forms of testing as part of this program. Testing beyond a minimal amount could harm Lab systems and networks.

  5. Berkeley Lab prohibits the disclosure of any personally identifiable information discovered to any third party.

What will LBL do when we receive a vulnerability report

We appreciate your interest in the White Hats for Science program and thank you for helping advance rigorous scientific research. We will review and assess reported vulnerabilities immediately. We aim to get back to reporters within 24 hours of a vulnerability disclosure. We will also disclose the steps taken to remediate this vulnerability to our reporters.

Does LBL offer bounties? 

A common practice for vulnerability disclosure programs is to offer rewards (bounties) for the responsible disclosure of a vulnerability. However, as a publicly funded organization we are unable to offer financial rewards to reporters.  Reporters will not receive payment for submitting vulnerabilities and by submitting, reporters waive any claims to compensation. However, we would like to recognize contributions of those participating in White Hats for Science program for helping ensure that scientists at the Lab have a secure environment to conduct research.  Reporters will (at their option) be recognized below for their reports:

Kudos

2026-06-11: Thanks you to 株式会社CyberCrew for identifying a potential web server issue.
2026-04-19: Thank you to Ph4nt0m_Sec for helping to identify potential misconfigurations with web servers.
2026-04-11: Thanks to Scott Bamforth for his responsible disclosure to help protect our github project repo.
2026-04-01: Thanks to Alex Harold for his responsible disclosure to help protect our Science website. 
2026-03-19: Thanks to Mohd fayyaz Ansari for his responsible disclosure to help protect our Science web sites.
2026-03-11: Thanks Lindan Tri Saputra for keeping drive links safe.
2026-03-11: Thanks Lindan Tri Saputra for keeping web sites safe.
2026-03-09: Thanks to ZeroDay_Sniper for keeping an eye out for potential issues.
2026-03-05: Thanks Lindan Tri Saputra for helping Science by keeping web directories secured
2026-02-22 Thanks Lindan Tri Saputra for helping Science by keeping our websites free from broken links
2026-01-21: Thank you, Aaron Amran—identification of an exposed device contributes positively to science—your vigilance enhances security!
2025-12-22: Thank you again to Aaron Amran Bin Amiruddin (@aaronamran) - Sarawak Information Systems (SAINS) for identifying a potential web server issue.
2025-12-16: Thank you to Aaron Amran Bin Amiruddin (@aaronamran) - Sarawak Information Systems (SAINS) for identifying a web server misconfiguration.
2025-08-11: Kudos to Cade Thomas for reporting information that may have been unintentionally made public.
2025-06-02: Thank you to Sornram Kampeera for helping to keep web resources safe.
2025-05-31: We want to thank Ali Firas — Cybersecurity Researcher, for helping to keep lab websites safe.
2025-04-14: Thank you to Zabit Majeed for identifying a WordPress misconfiguration.
2025-03-04: We want to thank Zakaria Weld_Asfi Bahri for their help identifying misconfigured websites
2025-02-25: We want to thank Michelle E.Drummond for keeping an eye out for potential email issues.
2025-02-13: Kudos to you Aryawardhan Singh for your efforts in keeping the lab safe!
2025-02-03: Thank you Aryawardhan Singh for responsibly disclosing and keeping science safe for the lab, once again!
2024-07-09: Much appreciation to Khan Janny for a responsible VDP report.
2024-07-05: We want to thank Nitesh Rauniyar for helping to protect science. 
2024-06-30: Thank you Aryawardhan Singh and Manan Patel for responsibly disclosing and keeping science safe for the lab.
2024-06-13: Thank you Aryawardhan Singh and Manan Patel for responsibly disclosing and keeping science safe for the lab.
2024-06-11: Thank you Aryawardhan Singh and Manan Patel for responsibly disclosing and keeping science safe for the lab.
2024-04-15: Thank you Ashish Rai for responsibly disclosing and keeping science safe for the lab. 
2024-02-28: Thank Ariel Rachamim and Omri Inbar for responsibly disclosing and keeping science safe for the lab.
2024-01-30: Thank you Aryawardhan Singh for your continued help rooting out misconfigurations.
2024-01-29: Thank you again to Aryawardhan Singh for their help identifying misconfigured websites.
2024-01-26: Much appreciation to Aryawardhan Singh for identifying misconfigured repositories.
2024-01-16: Thank you to Saied Khater!  For responsibly disclosing and keeping science safe in the lab.
2023-10-24: Kudos and thank you to Jaleel Hasan for helping to ensure LBL documentation has appropriate visibility settings.
2023-09-01: Thank you Charan Akiri for protecting science by responsibly reporting information leakage.
2023-07-26: Many thanks to Jayson Zabate - THEOS Cyber Solutions for keeping an eye out for potential issues!
2022-05-24: A big thank you to Daniel Rhea for responsible reporting and helping science to stay safe!

Questions

Would you like a shoutout? Email [email protected] and we will make sure your contributions are acknowledged on this page. 

Please email [email protected] if you have any questions about the Program.

You can use https://go.lbl.gov/vdp to link to this page. 

 

  • No labels