Season VI, US Cyber Open CTFs-
Rules of Engagement
Beginner’s Game Room & Competitive CTF
🔒 General Rules
-
No Attacking the CTF Infrastructure
-
You may not attack the scoreboard, challenge servers (unless explicitly allowed), or other core infrastructure.
-
You may only interact with challenge services as intended.
-
-
No Denial of Service (DoS)
-
Flooding or crashing services, either on purpose or by brute-force automation, is forbidden, and violators will be disqualified from the competition(s).
-
Don’t crash or overload services intentionally.
-
Don’t forkbomb, fuzz indiscriminately, or lock out other players from shared services.
-
-
No Sabotaging Other Players
-
Individuals solve challenges independently, and interfering with others (e.g., locking files or poisoning environments) is not allowed.
-
Do not modify or lock shared files. This includes (but is not limited to):
-
Change file permissions.
-
Lock files in VM challenges.
-
Upload malicious payloads to sabotage others.
-
-
-
No Multiple Accounts
-
This is an INDIVIDUAL competition, and using multiple accounts is prohibited.
-
-
Don’t Share Flags or Solutions
-
Flags and write-ups must not be shared with anyone during the competition. Competitors can share challenge write-ups AFTER the conclusion of the Season V, US Cyber Open (11:59 p.m. Eastern Time, Wednesday, June 18th).
-
-
No Automated Flag Submission
-
Bots/ scripts that auto-submit flags repeatedly are not allowed, and a rate limit has been set to detect abuse.
-
🤖 AI Use Policy
Help us maintain the integrity of CTFs! The recent developments of frontier model LLM's have reached a point where it has become increasingly difficult to reliably allow competitors to fully express their skill and talent across a range of core competencies through CTF challenges. This is especially true with our remote competition format. LLM's and AI are a transforming force in the security industry, and the skill of effective use of it as a tool for cybersecurity-related problems is a relevant skillset for competition. However, the US Cyber Open CTFs were designed to prioritize CYBERSECURITY SKILLS, and never intended to be fully dominated by frontier AI models.
At the International Cybersecurity Competition (ICC) and the European Cyber Security Challenge (ECSC), competitors operate in a controlled physical environment with heavily restricted or no AI/ LLM access during challenge windows. The Season VI, US Cyber Open AI Policy is designed to highlight athletes who can perform in that environment. Training yourself to rely heavily on AI tools may disadvantage you at those events.
As this is our position, we kindly ask you to respect the integrity of CTFs, and do not use AI models/ LLMs not included within the whitelist offered below. Keep the OG spirit of cyber competitions in mind, and value the learning aspect more than the use of AI.
-
Respect Our Challenge Developers
Season VI, US Cyber Open challenge developers put a lot of time, energy, and expertise into this process... Please respect this by defaulting towards LEARNING THE SKILL(S) before dumping a challenge into your favorite LLM. -
Step 1 Towards Making the Season VI, US Cyber Team
The US Cyber Open is Step 1 towards earning a spot on the US Cyber Team... And we're looking to measure your CYBER skills (and not necessarily AI skills). The larger competitions we send the US Cyber Team to enforce very limiting, very strict rules around access to and use of AI during competition windows. -
Write-ups On Request
At any point during the Season VI, US Cyber Open, any one of our coaches, mentors, or challenge developers have been given the authority to reach out directly and request a write-up on any challenge you have scored points on. Top performers will be asked to provide solve documentation before the leaderboard is finalized and before any prizes are awarded.
Whitelisted Models:
meta-llama/llama-3.1-8b-instruct
google/gemma-4-31b-it
google/gemma-4-26b-a4b-it
qwen/qwen3-30b-a3b-instruct-2507
🧠 Challenge-specific Rules
-
Flags Follow a Pattern
All flags follow a format unless explicitly stated within the challenge description.-
Beginner’s Game Room CTF: SVBRG{This_is_a_Flag} or SVIBGR{This_is_a_Flag}
-
Competitive CTF: SVIUSCG{This_is_a_Flag}
-
Warmup Challenge: SVIUSCG{Y0u_r34d_th3_ru135}
-
-
Submitting random strings or guessing excessively is frowned upon.
-
Reverse Engineering or Exploitation is Scope-limited
-
Only attack targets and binaries that are part of the challenge scope.
-
-
Use of Public Tools is Fine, but Use Ethically
-
Tools like Burp, Ghidra, IDA, Metasploit, etc., are allowed, but using them to cheat or scan unrelated targets is not.
-
Tools such as SQLMap, Go/Dirbuster, and other brute-force and fuzzing tools are not needed and should not be used. Any exploits used against web apps should be developed for a specific target rather than using premade tools that generate a lot of traffic and stress the CTF infrastructure.
-
-
Most Web Challenges Should Be Solved Offline
-
For instanced web challenges, you will have limited time to use each container. You should use any provided source code to test your exploits locally before starting your instance.
-
👨⚖️ Ethics & Conduct
-
Be Respectful
-
Respect organizers, competitors, and the rules. No explicit/ targeted trash talk or unsportsmanlike behavior, and harassment of any kind will not be tolerated. Violation of these policies will result in immediate disqualification from the competition(s).
-
-
Bug Bounties vs. CTF
-
CTFs are isolated environments; don’t confuse them with real-world targets or bug bounty platforms.
-
-
Follow Organizer Instructions
-
Organizers may add specific rules for their event (e.g., VM setup, hints usage, scoring changes).
-
📌 Additional Tips
Join the Official Discord for clarifications, announcements, and updates.
Recommended List of Tools:
|
CyberChef |
dnSpy |
Angr |
|
Wireshark |
binwalk |
SIFT |
|
Ghidra |
Shodan |
Autopsy |
|
IDA |
gdb |
Hashcat |
|
BurpSuite |
pwntools |
NetworkMiner |
|
Nmap |
Radare2 |
Scapy |
|
FTK Imager |
socat |
John the Ripper |
|
Volatility |
xinetd |
EZTools |
|
Docker |