D2P Rules

D2P Rules

Eligibility

Employees of Hack In The Box, vendors and their respective affiliates, subsidiaries, related companies are not eligible to participate in the Contest.

Contestants must be at least 18 years of age in their province or state of residence at the time of registration in order to participate and may not be a resident of any U.S. embargoed or sanctioned country or otherwise be listed on any U.S. denied or barred persons list. Attendees are responsible for compliance with any applicable import and export controls as a result of their attendance at the Contest.

Organizers shall have the right at any time to require proof of identity and/or eligibility to participate in the Contest. Failure to provide such proof may result in disqualification. All personal and other information requested by and supplied to the organizers for the purpose of the Contest must be truthful, complete, accurate, and in no way misleading. The organizers reserve the right, in its sole discretion, to disqualify any contestant should such contestant at any stage supply untruthful, incomplete, inaccurate, or misleading personal details and/or information.

Contest Period

The Contest will be held from October 15th  to 17th 2019, during the HITB+ CyberWeek event in Abu Dhabi, United Arab Emirates.

Winner Selection

In case of multiple contestants register for a given category, contestants will be drawn at random. Based on the drawn order, each contestant will be given an opportunity to exploit the selected target. If unsuccessful, opportunity is given to the next contestant in the order. This will continue until a contestant successfully exploits the target. 

The first contestant to successfully exploit the selected target will be rewarded with the prize. Other contestants will no longer have the chance to exploit the target for that category.

A successful entry must:

  • Require no user interaction beyond the action required to browse to the malicious content.
  • Occur within the user’s session with no reboots, or logoff/logons
  • Exploit a vulnerability to allow execution of arbitrary instructions.
  • Bypass mitigations in the target which are implemented to ensure safe execution of code (e.g. DEP, ASLR etc)
  • Escape sandbox unless otherwise stated in the category description
  • Execution of payload in an elevated context

A given vulnerability may only be used once across all categories. The initial vulnerability utilized in the entry must be in the registered target. The sandbox escape utilized in the entry must be in the registered target (unless the entry leverages a kernel privilege escalation).

A contestant has:  

  • Up to three (3) attempts to succeed
  • Each of the 3 attempts will be individually limited to a time period of five (5) minutes
  • For an attempt to be successful, all elements of the attempt must complete within the 5-minute window
  • All three (3) attempts must be completed within 20 minutes, excluding network configuration or device prerequisite time.

The targets will be running on the latest, fully patched version of the operating system available on the selected target. All targets will be 64-bit, if available, and installed in their default configurations. The vulnerabilities utilized in the entry must be unknown, unpublished, and not previously reported to the vendor. A given vulnerability may only be used once across all categories.

Judges and vendors reserve the right to determine what constitutes a successful entry. We may offer less than original prize offering for a given category if the judges deem that part of the exploit chain does not meet the rules.

Upon successful demonstration of the exploit, the contestant will provide with a fully functioning exploit plus a whitepaper explaining the vulnerabilities and exploitation techniques used in the entry. In the case that multiple vulnerabilities were exploited to gain code execution, details about all of the vulnerabilities (memory corruption, infoleaks, escalations, etc.) leveraged and the sequence in which they are used must be provided to receive the prizes.

6.) Disclosure Policy 

This policy outlines how Driven2Pwn (HITB) handles responsible vulnerability disclosure to product vendors, security vendors and the general public. HITB will promptly notify the appropriate product vendor of a security flaw with their product(s) or service(s). The first attempt at contact will be through any appropriate contacts or formal mechanisms listed on the vendor Web site, or by sending an e-mail to security@, support@, info@, and secure@company.com with the pertinent information about the vulnerability. 

If a vendor fails to acknowledge HITB’s initial notification within five business days, HITB will attempt a second formal contact by a direct telephone call to a representative for that vendor. If a vendor fails to respond after an additional five business days following the second notification, HITB may rely on an intermediary to try to establish contact with the vendor. If HITB exhausts all reasonable means in order to contact a vendor, then HITB may issue a public advisory disclosing its findings fifteen business days after the initial contact.

If a vendor response is received within the timeframe outlined above, HITB will allow the vendor 3-months (90 days) to address the vulnerability with a security patch or other corrective measures as appropriate. At the end of the deadline, if a vendor is not responsive or unable to provide a reasonable statement as to why the vulnerability is not fixed, the HITB will publish a limited advisory including mitigation in an effort to enable the defensive community to protect the user. We believe that by taking these actions, the vendor will understand the responsibility they have to their customers and will react appropriately. A further 90-day extension will be granted before full disclosure. 

If a product vendor is unable to, or chooses not to, patch a particular security flaw, HITB will offer to work with that vendor to publicly disclose the flaw with some effective workarounds. In no cases will an acquired vulnerability be “kept quiet” because a product vendor does not wish to address it. To maintain transparency into our process, we plan on publishing a summary of the communication we’ve had with the vendor regarding the issue. We hope that this level of insight into our process will allow the community to better understand some of the difficulties vendors have when remediating high-impact bugs. HITB will make every effort to work with vendors to ensure they understand the technical details and severity of a reported security flaw.

HITB will formally and publicly release its security advisories on the Driven2Pwn website. Only advisories listed on the website should be considered official HITB advisories. 

7.) Indemnification

By entering the Contest, contestant releases and holds HITB harmless from any and all liability for any injuries, loss, or damage of any kind to the contestant or any other person, including personal injury, death, or property damage, resulting in whole or in part, directly or indirectly, from acceptance, possession, use, or misuse of any prize, participation in the Contest, any breach of the Contest Rules, or in any prize-related activity. The contestant agrees to fully indemnify HITB from any and all claims by third parties relating to the Contest, without limitation.

8.) Limitation of Liability

Contestant acknowledges and agrees that HITB assumes no responsibility or liability for any computer, online, software, telephone, hardware, or technical malfunctions that may occur. HITB is not responsible for any incorrect or inaccurate information, whether caused by website users or by any of the equipment or programming associated with or utilized in the Contest or by any technical or human error which may occur in the administration of the Contest. HITB is not responsible for any problems, failures, or technical malfunctions of any telephone network or lines, computer online systems, servers, providers, computer equipment, software, e-mail, players, or browsers, on account of technical problems or traffic congestion on the Internet, at any website, or on account of any combination of the foregoing. HITB is not responsible for any injury or damage to contestant or to any computer related to or resulting from participating or downloading materials in this Contest. Contestant assumes liability for injuries caused or claimed to be caused by participating in the Contest, or by the acceptance, possession, use of, or failure to receive any prize. HITB assumes no responsibility or liability in the event that the Contest cannot be conducted as planned for any reason, including those reasons beyond the control of HITB, such as infection by computer virus, bugs, tampering, unauthorized intervention, fraud, technical failures, or corruption of the administration, security, fairness, integrity, natural disaster, or proper conduct of this Contest.

9.) Code of Conduct

As a condition of participating in the Contest, each contestant agrees to be bound by these Contest Rules and indicates consent as part of the registration process. Contestant further agrees to be bound by the decisions of HITB which shall be final and binding in all respects. HITB reserves the right, in its sole discretion, to disqualify any contestant found to be: (a) violating the Contest Rules; (b) tampering or attempting to tamper with the Contest or any of the equipment, the Contest website or Contest programming; (c) acting in an unsportsmanlike or disruptive manner, or with intent to annoy, abuse, threaten, or harass any other person. CAUTION: ANY ATTEMPT TO DELIBERATELY UNDERMINE THE LEGITIMATE OPERATION OF THE CONTEST MAY BE A VIOLATION OF CRIMINAL AND CIVIL LAWS. SHOULD SUCH AN ATTEMPT BE MADE, HITB RESERVES THE RIGHT TO SEEK REMEDIES AND DAMAGES TO THE FULLEST EXTENT PERMITTED BY LAW, INCLUDING BUT NOT LIMITED TO CRIMINAL PROSECUTION.

10.) Privacy / Use of Personal Information

By participating in the Contest, contestant: (i) grants to HITB the right to use his/her name, likeness, mailing address, telephone number, and e-mail address (“Personal Information”) for the purpose of administering the Contest, including but not limited to contacting and announcing the winners; and (ii) acknowledges that HITB may disclose his/her Personal Information to third-party agents and service providers of HITB in connection with any of the activities listed in (i) above.

HITB will use the contestant’s Personal Information only for identified purposes, and protect the contestant’s Personal Information in a manner that is consistent with HITB’s Privacy Policy. 

11.) Intellectual Property

All intellectual property, including but not limited to trade-marks, trade names, logos, copyrights, designs, promotional materials, web pages, source code, drawings, illustrations, slogans, and representations are owned by HITB and/or its affiliates. All rights are reserved. Unauthorized copying or use of any copyrighted material or intellectual property without the express written consent of its owner is strictly prohibited.

12.) Termination

HITB reserves the right, in its sole discretion, to terminate the Contest, in whole or in part, and/or modify, amend, or suspend the Contest, and/or the Contest Rules in any way, at any time, for any reason without prior notice.