Reporting to the Organizers

Teams are invited to report events that require organizers’ attention. Reports can be about disputes, violations, misbehaviors, or apply for bonus points, such as when a team implemented additional features.

The organizers will inspect and verify each report. If a report is about a dispute, organizers mediate and help teams reach an agreement. If agreement cannot be achieved, the organizers will decide the outcome.

Reports can be about violations. A violation is, for example, a team or individual violating a competition rule or abusing them to gain an unfair advantage. Misbehaviors are, for example, abusive, offensive, or disrespectful behaviors or language. In these cases, the organizers verify the report and act on it. Reporters are not penalized for bringing violations to the organizers’ attention. If necessary, reports can be anonymous. If a violation is confirmed, organizers can penalize violators, give a warning, or disqualify violators (entire team or individual members).

Cases

Case Actions
Bonus points for issues in the specs: We invite students to submit reports about issues or flaws in the specs and platform. Attacking (including probing) the infrastructure is not tolerated. The team can get 50 bonus points
Bonus points for unrequested feature(s): A team reports (or self-report!) feature(s) and functionalitie(s) that were not required but implemented nevertheless. These functionalities enrich the web application, and, most importantly, they increase the attack surface. Points determined after inspecting the feature(s) and be proportional to the number, quality, and size of the features.
Dispute: Two teams cannot agree on the status of a vulnerability report. Examples of disputes are the effectiveness of a patch, declined or invalid vulnerability, and others. Organizers mediate. If not agreement, organizers decide the outcome.
Partial or Missing Functionality: A project is missing a required functionality, or a required feature is partly implemented. The reporter team gets 10 bonus points. Violators can get 10 penalty points or exclusion, depending on the severity and frequency of the violations.
Abuse of Rules: A team repeatedly submits confidential issues that are not vulnerabilities or improperly uses GitLab tags during the fix-it phase to gain points, e.g., not confirming valid vulnerabilities. The reporter team gets 10 bonus points. Violators can get 10 penalty points or exclusion, depending on the severity and frequency of the violations.

How to Get Bonuses (or Report a Violation)

Send a message to any of the organizers, e.g., secwebdev@cispa.de. When writing the message, specify the case above and try to be as specific and accurate as possible. We will evaluate each reports and act on them.