Rules of Engagement

Allowed Activity

• Testing only within official challenge scope and attack windows.
• Submission of reproducible and ethically reported vulnerabilities.
• Retest activity only when authorized by event timeline.

Prohibited Activity

• DDoS, brute-force abuse, infrastructure sabotage, or destructive payloads.
• Social engineering against participants, organizers, or sponsors.
• Accessing out-of-scope assets or third-party systems.
• Publishing exploit details before official disclosure timelines.

Reporting Standards

Every report must include clear steps, impact description, evidence, and suggested remediation where possible. Duplicate or invalid reports receive reduced or zero points.