Terms of
engagement
This guide outlines the eligibility criteria, rules, and general conditions for participating in the Fluid Attacks CTF.
Participation requirements
Eligibility
The Fluid Attacks CTF is strictly an individual competition. Fluid Attacks does not allow team formation or collaboration among participants.
This competition is restricted to citizens or permanent residents of Latin American and Caribbean countries.
Account policy
Participants may have only one (1) account.
The creation of alternate accounts (sockpuppets), test accounts, or the sharing of account access is forbidden and will result in an immediate rejection of all associated accounts.
Registration
Each applicant must register for the CTF via the official form. All information provided must be complete and truthful.
Each applicant's registration data will be cross-checked against their public LinkedIn information. They must ensure that their profile is accurate and up to date with their current employment or academic status before submitting the application.
If the CTF form prohibits an applicant from entering their LinkedIn profile because it is already in use by someone else, the applicant should notify Fluid Attacks of this issue at [email protected].
If the applicant is a permanent resident of a country in Latin America or the Caribbean but their LinkedIn profile does not reflect this, they must send proof of residency to the Fluid Attacks email address provided above.
Review and approval
Fluid Attacks' organizing team reviews applications. The approval is not automatic and depends on eligibility requirements and available capacity.
Once an application has been approved or rejected, Fluid Attacks will email the applicant.
Rejection criteria
A registration will be automatically rejected if:
The provided LinkedIn profile is nonexistent, has no connections, or has no verifiable history.
The applicant is not a citizen or legal resident of a Latin American or Caribbean country.
The information is false, incomplete, or does not match the professional or academic identity on LinkedIn.
The applicant has been banned from any previous edition of the Fluid Attacks CTF.
Participation rules
During the CTF, participants must not:
Share solutions, write-ups, flags, or techniques with other participants (they may do so only after at least 48 hours have passed since the end of the CTF; doing so earlier would result in disqualification from the competition).
Solve challenges together with other participants or engage in any other form of collaboration.
Use multiple accounts or impersonate others.
Submit flags via brute force or automate mass submissions.
Attack the CTF infrastructure or attempt to cause a DoS/DDoS.
Sabotage or interfere with the performance of other participants.
Fair play and penalties
Participants who commit any form of fraud in the CTF will be:
Immediately disqualified from the competition.
Permanently banned from future editions.
Removed from all cumulative rankings: Their past and current scores will no longer count toward any individual, company, university, or country cumulative rankings.
Community standards
All participants are required to behave respectfully and professionally at all times; therefore, harassment, discrimination, and any unethical behavior are not permitted. This applies to all communication channels used in the competition (Discord, email, the CTF platform, etc.). Any violation may result in immediate disqualification from the current CTF and permanent exclusion from future editions.
Use of AI tools
The CTF will have two separate scoreboards: Unrestricted and AI-Free.
Each participant must choose their game mode during registration. Participants who initially select AI-Free may switch to Unrestricted even during the competition, but only up to 1 hour before the CTF finishes. However, participants who select Unrestricted may switch to AI-Free only up to 24 hours before the CTF starts by emailing [email protected].
The two game modes are defined as follows:
Unrestricted
Participants may use AI tools as they wish, provided they understand and can reproduce their submitted solutions on their own and continue to comply with all other rules set forth in this document. Participants in this mode are eligible for prizes.
AI-Free
Participants agree not to use AI tools in any form during the competition. Participants in this mode are not eligible for prizes, but they will have their own ranking. This mode is intended for people who wish to compete solely for the challenges and their professional growth.
Fluid Attacks reserves the right to request detailed technical write-ups from participants in either scoreboard to verify their technical understanding, reasoning, and ability to reproduce their submitted solutions. Failure to demonstrate such understanding may result in disqualification from the CTF.
Ranking and prizes
For corporate and institutional rankings, subsidiary companies, branches, or brands belonging to the same parent holding group will be grouped under the main parent company's name.
Fluid Attacks awards prizes to participants who finish in the top three overall in the competition, as well as to the top finishers in AppSec, First Bloods, and Under-26. These categories are explained below:
Top AppSec: The participant with the highest cumulative score across challenges in the Web, Mobile, and API categories.
Most First Bloods: The participant who obtains the highest number of "first bloods" (a "first blood" is the recognition earned by the player who solves a challenge before all other players).
Top Under-26: The participant who—being 26 years old or younger by the end of the year in which the CTF takes place—achieves the highest overall score among at least 29 other participants in that age group (i.e., this title will not be awarded in a competition with fewer than thirty participants within that age group).
In the event of a tie in any of these award categories, Fluid Attacks will use the time it took participants to complete the challenges as the tiebreaker.
To validate the provisional winners' scores at the end of the CTF, organizers will present three randomly selected challenges from the competition that those participants managed to solve. The top three participants (aka official candidates) have 36 hours to submit detailed technical write-ups of their solutions. At the same time, participants in 4th, 5th, and 6th place will be notified as alternate candidates and will also receive three challenges to validate their solutions, with write-ups due by the same deadline. Each participant should correctly answer these requests. No response or incorrect answers by any of the official candidates will result in the following:
The participant in question will be excluded from the awards, allowing the next player in the ranking to take their place and receive their prize (if they provide correct answers). If this happens only to the first-place finisher, both the second- and third-place competitors will move up a spot.
The next participant—one of the alternate candidates, outside the top 3 but next in line based on their score—who has appropriately completed and submitted their write-up will be included in the top 3 to receive a prize.
Each write-up is evaluated by two members of the Fluid Attacks Research team using a checklist based on these five criteria: vulnerability identification, exploitation chain, exploitation artifacts (scripts and payloads), technical domain knowledge, and decision traceability. If none of the six aforementioned candidates answer the challenges correctly within the allotted time, Fluid Attacks will refrain from awarding prizes to the top 3 based on overall score. All validation is completed within 48 hours of the CTF's conclusion, in accordance with the policy of not publishing solutions during this period. Decisions issued at the conclusion of the validation process are irreversible.
Fluid Attacks disburses the prizes after reviewing and approving the write-ups for these final challenges.
If a player achieves scores that qualify them for two or more available prizes, Fluid Attacks will award them only the largest prize, thereby allowing the other prize(s) to be awarded to the next participant(s) in the corresponding leaderboard(s).
If the winner of any of the prizes is an employee of Fluid Attacks, they will receive only the monetary equivalent of the prize in the form of funding for cybersecurity certifications.
Data privacy
By registering, the applicant authorizes Fluid Attacks to review their public LinkedIn profile for profiling purposes (e.g., to verify their residence in Latin America, current employment, or student status). This data will be used exclusively for eligibility verification, competition statistics, and rankings, and will not be sold to third parties.
Technical issues related to the CTF challenges or platform should be reported via the CTF's official Discord server.
All other questions, concerns, or requests should be sent to [email protected].
By registering and participating, the participant agrees to comply with all rules set forth herein and to accept the consequences of noncompliance.
Fluid Attacks may conduct investigations after the competition and retroactively disqualify participants who violated any of the rules mentioned above. Therefore, the rankings may be affected by these investigations.
