Official Rules

1. Eligibility and Teams

• • You must be legally able to participate under your local law and not be subject to sanctions.
• • One person, one account. No multi‑accounting, account sharing, or impersonation. If we conclude multiple people used the same account, the team is disqualified and no certificate is issued.
• • Team size cap: 5 members for prize eligibility. Larger teams may play but are ineligible for prizes.

Brackets and Scoreboards

Each bracket has its own scoreboard. A general scoreboard and a per‑user scoreboard are also displayed.

Team changes during the Event require organizer approval via Discord ticket.

2. Registration and Identity

Provide accurate information and keep credentials confidential. The public scoreboard shows your username or team name, bracket, and country. Real names and emails are not public.

3. Scope of Testing

Test only assets explicitly marked in scope on the platform. Do not interact with organizers', sponsors', partners', or third‑party systems outside scope. Do not probe, attack, or disrupt other participants' systems or accounts.

4. Conduct

Be professional. No harassment, hate speech, doxxing, stalking, or targeted abuse. Keep channels on topic. Do not DM staff for support or hints—use the Discord ticketing system or email contact@chronos-security.ro. Tickets are private between you and staff.

5. Tools, Traffic, and Rate Limits

"Offensive tools" include scanners, fuzzers, exploit frameworks, password crackers, automation scripts, and similar utilities. Use them only against in‑scope assets and only in ways that do not degrade availability. Respect published limits. If none are published, avoid high‑volume or disruptive activity. Heavy VPN/Tor traffic may be rate‑limited or blocked to protect stability.

6. Flags and Submissions

Follow the flag format shown on each challenge card and submit promptly.

• • No flag hoarding: deliberately withholding flags for bulk submission to manipulate standings is prohibited. We may invalidate affected submissions or apply penalties.
• • No sharing or trading: do not share, trade, buy, or sell flags or solutions. No cross‑team collaboration.

7. Hints

Hints show their point deduction on the challenge card. Taking a hint reduces points by that amount.

8. Scoring, Freeze, and Post‑Event Access

• • Dynamic scoring is enabled. Challenge points decrease as more teams solve them.
• • Tie‑breaks and schedules are posted on the platform.
• • Scoreboard freeze: from 00:00 EET on November 9, the public scoreboard stops updating. Solves still count toward final results.
• • Post‑Event access: challenges may remain available for practice; submissions after the end do not count.

9. Streaming, Spoilers, and Writeups

No streaming during the Event. No public writeups or spoilers until November 10.

10. Reporting Issues and Misconduct

Use the Discord ticketing channel for challenge or infrastructure issues. Tickets are structured and faster; no hints are given there. Report misconduct, suspected cheating, or abuse via ticket or email contact@chronos-security.ro. Do not disclose flags or vulnerabilities publicly.

11. Cheating and Integrity

Prohibited Behaviors Include:

• • Multi‑accounting, account sharing, impersonation
• • Collusion across teams; using leaked or previously published flags/solutions; replaying captured tokens
• • Automation beyond policy; brute force at scale; credential stuffing; evading rate limits or controls
• • Traffic flooding, denial‑of‑service, or resource exhaustion against any in‑scope or platform service
• • Tampering with platform integrity (scoreboard manipulation, unauthorized admin access, altering others' data)
• • Accessing, intercepting, or exfiltrating data outside scope, including other participants' traffic or accounts

Proof of Solve

We may require a step‑by‑step explanation and supporting artifacts (commands, notes, screenshots) to verify solves. Failure to provide adequate proof can result in disqualification.

Flag Leaks and Integrity Events

If a flag or challenge is leaked or compromised, we may re‑key, reset, or invalidate the challenge. Submissions after the leak may be rejected unless you prove your solve predates the leak. Teams responsible for leaks are disqualified.

Sanctions

Confirmed cheating results in immediate disqualification, prize forfeiture, and a ban from current and future Events. Other violations may lead to score reversal, challenge invalidation, rate‑limit or IP blocks, suspension, or disqualification.

12. Prizes and Verification

Prize types and amounts are listed at /prizes. All prizes are digital. The definitive prize list is the version published at the end of the Event on November 9; prizes may update during the Event as sponsors are confirmed.

Winners are notified by email within 48 hours after the Event ends. Winners must reply within 48 hours with: full name; proof of identity showing name and date of birth (you may redact non‑essential fields) for bracket eligibility; and IBAN for cash prizes. The bank account holder name must match the verified identity. Cash prizes are paid by bank transfer within 30 calendar days after successful verification. If details are incorrect or restricted, corrected details must be provided within 30 days of our request or the prize is forfeited.

13. Appeals

Appeal sanctions or scoring by emailing contact@chronos-security.ro within 24 hours after the Event ends. Organizer decisions are made at reasonable discretion.

14. Changes

We may update these Rules or pause, modify, or withdraw challenges for integrity, security, or legal reasons. Updates are reflected on this page with a new effective timestamp.

15. Contact

Support and issues: contact@chronos-security.ro or Discord ticketing. Privacy requests: privacy@chronos-security.ro.