CERN WhiteHat Challenge: Code of Ethics

Together with CERN's Computing Rules, this Code of Ethics is binding for any CERN WhiteHat.

  1. Application: This Code of Ethics shall apply, and shall be observed at all times, by all Participants during their involvement in the CERN WhiteHat Challenge (“the Challenge”).
  2. Participation: Only persons who are (i) officially affiliated with an institution that has signed a Memorandum of Understanding with CERN to be involved in the Challenge, and (ii) who have the endorsement of a Supervisor connected with that institution (who is working in the domain of cyber-security, and who is recognised by CERN) may become Participants in the Challenge. In addition, CERN staff and users may also become Participants in the Challenge, their endorsement is given by the Computer Security Officer.
  3. Conduct: Participants shall conduct themselves in the most ethical and competent manner and display integrity at all times in connection with their participation in the Challenge. In particular, in the course of their involvement in the Challenge, Participants must:
    • take all necessary care to ensure the ethical conduct and high standard of care required to participate in the Challenge;
    • only use the property of CERN in ways that have been authorised by CERN's Computer Security Officer and with CERN’s knowledge and consent;
    • ensure that they do not violate any national regulations, regulations of the institution with which they are affiliated or their Internet Service Provider (“ISP”), nor engage in deceptive practices such as bribery, blackmail or improper financial practices in connection with the Challenge. If a Participant has doubts about the legality of their work they are to cease their activities immediately and raise the issue with their Supervisor;
    • ensure that, during their participation in the Challenge, network traffic is kept minimal and does not impact on the overall stability of the network that they are using or their ISP;
    • take care to ensure that network equipment, computing services or web applications, hosted at CERN, by an intermediate ISP or by their institution, are not compromised, prevented from working, modified, subject to a denial of service attack or rendered broken; and
    • take utmost care not alter or delete any webpage, account, data, or other any information hosted at CERN or elsewhere.
  4. Scope: For the purposes of participating in the Challenge, Participants shall only investigate CERN’s IT facilities and networks connected to the CERN network domain (i.e. "cern.ch" or ".cern" and belonging to the 128.141.0.0/16, 128.142.0.0/16, 137.138.0.0/16, 185.249.56.0/22, 188.184.0.0/15, 194.12.128.0/18 & 2001:1458::/32 networks). "Social Engineering" techniques are excluded;
  5. Disclosure: Participants shall disclose all their findings resulting from their involvement in the Challenge to their supervisor and to CERN where they believe the data indicates a security weakness in CERN’s IT facilities, either existing or potential.
  6. Confidentiality: All information gained from and about CERN’s IT facilities by Participants as a consequence of their involvement in the Challenge is to be regarded as confidential and treated as such. Participants may not make any copies of, or store, any CERN data that they discover as part of their activities in the Challenge. Participants agree that, at the end of their involvement in the Challenge, they will erase all CERN data that they have collected during the Challenge. Participants agree not to give, sell or transfer any such information to any entity other than CERN without CERN’s prior written consent.
  7. Conflicts of Interest: Participants shall disclose to CERN and their Supervisor any conflicts of interest they may have that will arise, or could be considered to arise, from their participation in the Challenge.
  8. Unauthorised usage: In the course of the Challenge, Participants shall never knowingly use software or processes that have been obtained or retained either illegally or unethically.
  9. Malicious activities: Participants shall not associate with malicious attackers or underground communities, nor engage in malicious activities as part of the Challenge. Only CERN’s infrastructure should be investigated in the Challenge and only for the purpose of exposing, rather than exploiting, weaknesses.