Friday Night Firefight

#event #event-rules #sprint

This event is a Sprint by default (Under 24h.) Some Firefights may be Races (24-48h) or Marathons (48h+) depending on the Firefight participant.

When:
Fridays starting at 5PST

Overview:
Got a think you need stress tested? Submit it and we all try to break it. Submit at your own risk.

Submissions due Friday by 12PST. Create a ticket in https://discord.com/channels/1171632873950941195/1171867851498467429 to have your repo/website/app/product added to the pool. You should include:
-how your thing is supposed to work
-how your thing is NOT supposed to work
-any special bonus challenge conditions you'd like to include
-any conditions you would NOT like your product tested under (i.e we want to test the chatbot, we do not want to test the database. please don't touch the database. there's like actual people's information in it and we haven't had time to secure it properly. seriously.)

Pool rotations will happen periodically depending on the number of available pool candidates, interested hackers, and other random factors tbd later.

Possibly: Once your project has been selected for a Firefight, it leaves the pool and must be resubmitted for the following week if desired.

Possibly: a voting period before the event start time to determine which Firefight candidates are eligible that week.

Rules:
Firefight candidates will be announced on Fridays at 12PST. From 12 to 6, you can tool up, form teams, make plans, spin up containers/vms, strategize, write scripts, etc. However, do not 'use' any of the things you've prepared until the Firefight begins at 6PST.

5PST - Eligible Firefight candidates will do a quick demo of how their thing works, how it's supposed to work, and what it looks like when it breaks, and anything else they think you should know.

6PST-9PST - Firefight!
Your goal: Break the thing. In as many ways as possible, and as badly as possible. DDoS, botnets prompt injection, auth spoofing, metasploit, social engineering, aircrack, whatever. Don't do anything illegal, or if you do, make sure nobody finds out (you'll lose points + also it's illegal)

When you have successfully broken something:
-log it somehow (screenshot, logfiles....other ways, i assume there are some)
-notify a Judge
-go back to breaking the thing

Points might vary depending on the event, challenge conditions, severity of the exploit, etc.

WINNERS:
Eligible for Firefight pool prizes. If challenge conditions were met, eligible for Challenge prizes. Roles/badges accordingly. Eternal glory.

JUDGES:
Ideally you have penetration testing or devops experience, or experience maintaining a service and watching it go down. You might be asked to make judgement calls on how severe an exploit is, differentiate between two similar exploits, or decide if an exploit successfully met condition X or Y.
For now, if you're interested in being on the judging panel for one of these, submit a ticket that indicates that. Maybe we'll make a better system later.