Category Archives: Challenge

t2’17 Challenge winner announced

This year’s free ticket was awarded at LocalTapiola HackDay to the team who discovered the most severe vulnerability. After a full day of analyzing, verifying and rating the reported vulnerabilities, we had a clear winner rising above the competitors.

Congratulations Harri Kuosmanen of team ROT! Well done!

We would also like to thank all the other teams and those participating in the challenge during the summer. The countdown to t2’17 starts now – see you on Thursday! (..or Wednesday night at one of the many pre-event meetups/lobby bar gatherings)

If you have ideas on how to give out free tickets to our 15th anniversary event next year, please let us know!

What ever happened to the t2 challenge?

So, the t2 challenge of 2017.. It’s over for sure, but not in a way we anticipated. Before we get ahead of ourselves, let’s get back to the beginning.

The challenge was originally created in 2005 to give out free tickets to people with fantastic technical talents – there were two tracks, speed and elegance. You could either win by being the first one to solve the challenge, or by submitting the finest write-up. The idea was that also those without a personal training budget had a chance of participating the event – in practice, many new talents got a turbo boost for their contacts and career in security.

The format was successful for almost a decade, until the successful completions, attempts and downloads/page views started to drop steadily. The numbers were coming down and there was no denying it – the format of each year’s challenge appeared to have no effect on this.

We tried to compensate by putting more effort into creating the challenges, and promoted them also on Twitter in addition to the traditional channels. Alas, this did not work and we pivoted to a bug bounty this year.

The challenge was open for three full months over the summer, and during that time our own tweets alone reached over 130 000 people. Further promotion was done on our own blog, and mailing list, in addition to Full Disclosure and DailyDave. In the spirit of past challenges, the rules emphasized quality submissions and finesse to allow people to focus on what truly matters. Most importantly, the target had been selected exclusively for the t2 challenge, and had not been previously subjected to a bug bounty.

Despite a major scope increase two weeks before the challenge end date, we received exactly zero submissions. Not one, not two, but Z-to-the-E-to-the-R-to-the-0. Talk about failing..

Our question now to you, esteemed fellow hackers is:

How should we give out the free tickets in the future?

Please tweet or e-mail us, we want to hear your ideas! All feedback on the subject is appreciated.

There is sunshine after the rain – our good friend Leo Niemelä invited t2 to judge the annual LocalTapiola Hack Day. That’s the where the story continues in the following post.

t2’17 challenge update

We are updating the rules slightly, and increasing the challenge scope to cover the complete LocalTapiola Bug Bounty program.

The basic rules stay the same, with these changes:

  • The in-scope domains are expanded to cover all the domains that are in-scope in the normal LocalTapiola bug bounty program as well
  • All submissions are eligible for bounties – the rules are the same as in the normal LocalTapiola bug bounty program ($50-$50k)
  • Only NEW reports are eligible – don’t duplicate current open and/or unresolved reports from the normal LocalTapiola bug bounty program
  • In any case of confusion or ambiguity between the two bug bounty programs – LocalTapiola reserves all rights to make wise decisions

Happy hunting!

t2’17 Challenge – a break from tradition

This year’s pre-conference challenge will be a t2 exclusive bug bounty. For more information on how to participate, please see the t2’17 Challenge page.

As we’ve been organizing challenges for over a decade, you might wonder why change now? For several years in a row, the challenge participant numbers have been steadily declining, despite increased efforts put into creating the technical puzzles, challenge descriptions and back stories, and actual promotion. It’s not just the number of submissions, but also the downloads and page views. Thomas Malmberg kindly pointed out that with conference challenges we’re competing for people’s time – this is the arena where also bug bounties play.

It was time for us to either adapt or perish. This being t2, failure was not an option and quitting is something you do for apps, not in real life. With conference budgets one simply does not organize a bug bounty – you need friends’ help for that. That is the reason we partnered up with LocalTapiola to provide you a t2 exclusive bug bounty, targeting a real world business application running in production environment. To make sure the spirit of t2 challenges is still there, we are emphasizing the vulnerability quality and proof of exploitability. The challenge is not a speed competition – the most elegant and meaningful vulnerability submission will receive the free ticket, and we have adjusted the whole bug bounty process to reflect that.

Once you convert someone else’s medium severity local file read into unauthenticated remote code execution, you start to value proper analysis and investigation into the technical details of a vulnerability. In other words, 2002 called – they want their apache-scalp.c back. The 15 year anniversary is a pure co-incidence, as is Dave Aitel’s headline keynote at t2’17, the stars just happened to align the right way, like good exploitation primitives after putting in the time and effort.

The challenge is dead. Long live the challenge.

We hope you enjoy the reinvigorated format!

t2'16 Challenge winners

Carl “Zeta Two” Svensson from Sweden was the first one to solve the t2’16 Challenge. Well done! Congratulations!

The elegant write-up trophy goes to Alexander Polyakov, Russia. His write-up will be published soon so you’ll have a change to evaluate the submission yourself.

Congratulations to both winners! We would also like to thank each one of you who participated. Last but not least. if you have an interesting idea for t2’17 Challenge, please let us know – authors get a free admission to the conference among other perks 😉