We are updating the rules slightly, and increasing the challenge scope to cover the complete LocalTapiola Bug Bounty program.
The basic rules stay the same, with these changes:
- The in-scope domains are expanded to cover all the domains that are in-scope in the normal LocalTapiola bug bounty program as well
- All submissions are eligible for bounties – the rules are the same as in the normal LocalTapiola bug bounty program ($50-$50k)
- Only NEW reports are eligible – don’t duplicate current open and/or unresolved reports from the normal LocalTapiola bug bounty program
- In any case of confusion or ambiguity between the two bug bounty programs – LocalTapiola reserves all rights to make wise decisions
This year’s pre-conference challenge will be a t2 exclusive bug bounty. For more information on how to participate, please see the t2’17 Challenge page.
As we’ve been organizing challenges for over a decade, you might wonder why change now? For several years in a row, the challenge participant numbers have been steadily declining, despite increased efforts put into creating the technical puzzles, challenge descriptions and back stories, and actual promotion. It’s not just the number of submissions, but also the downloads and page views. Thomas Malmberg kindly pointed out that with conference challenges we’re competing for people’s time – this is the arena where also bug bounties play.
It was time for us to either adapt or perish. This being t2, failure was not an option and quitting is something you do for apps, not in real life. With conference budgets one simply does not organize a bug bounty – you need friends’ help for that. That is the reason we partnered up with LocalTapiola to provide you a t2 exclusive bug bounty, targeting a real world business application running in production environment. To make sure the spirit of t2 challenges is still there, we are emphasizing the vulnerability quality and proof of exploitability. The challenge is not a speed competition – the most elegant and meaningful vulnerability submission will receive the free ticket, and we have adjusted the whole bug bounty process to reflect that.
Once you convert someone else’s medium severity local file read into unauthenticated remote code execution, you start to value proper analysis and investigation into the technical details of a vulnerability. In other words, 2002 called – they want their apache-scalp.c back. The 15 year anniversary is a pure co-incidence, as is Dave Aitel’s headline keynote at t2’17, the stars just happened to align the right way, like good exploitation primitives after putting in the time and effort.
The challenge is dead. Long live the challenge.
We hope you enjoy the reinvigorated format!
Carl “Zeta Two” Svensson from Sweden was the first one to solve the t2’16 Challenge. Well done! Congratulations!
The elegant write-up trophy goes to Alexander Polyakov, Russia. His write-up will be published soon so you’ll have a change to evaluate the submission yourself.
Congratulations to both winners! We would also like to thank each one of you who participated. Last but not least. if you have an interesting idea for t2’17 Challenge, please let us know – authors get a free admission to the conference among other perks 😉
This is just a short note to let you know that the deadline for t2’16 Challenge write-up submissions is 2016-10-08 10:00 EEST, after which the creators of the Challenge will select the winner.
Please remember that the criteria for the selection is the elegance of the answer. The solution must include a detailed description of methods and tools used. If you don’t know the definition of elegance – please check out the winning write-ups from previous years.
We just realised that we forgot to include the link for submitting the flags (it was not supposed to be part of the challenge 😉
Sorry!! Here we go!