Contest Rules
Rules are subject to change up to 48 hours before the beginning of the contest. Failure to abide by these rules will result in expulsion from the contest and, where appropriate, referral to proper authorities.
The Pointer Overflow CTF is hereafter referred to as the “CTF” or simply the “contest.” The term “admin” refers to anyone officially working within the contest to ensure the challenges remain available and viable, and that teams and scoring remain working. The term “organizer” applies to anyone officially working within the contest to communicate changes, administer the contest, arbitrate disputes, and manually review any scoring discrepancies. Those participating in the CTF are referred to as “participants” or “contestants” collectively, or as “teams” when referring to groups of participants officially working together.
Participants may contact admins or organizers using the contest Discord channel by messaging
@CTF-Admin.
All flags must be submitted as strings. Flags can be identified by their format:
poctf{uwsp_msg} (regex ^poctf{uwsp_.*}$).
They all begin with the prefix poctf{uwsp_. After that they all use this character set:
4bcd3f6h1jklmn0pqr57uvwxyz. Flag submissions are case insensitive, and alpha characters
may appear in upper or lowercase in challenges. They all end with a closing bracket }.
Flags contain no spaces; spaces are replaced by underscores (_).
Example: poctf{uwsp_7h15_15_4_54mpl3_fl46}
Flags must be submitted prior to the challenge closure for any points to be awarded. Flags must be submitted through the contest website in the appropriate field marked for that challenge for any points to be awarded.
Participants must follow the contest rules at all times. Violating any CTF rules will be grounds for exclusion from this and future CTF challenges. Attempts to violate the rules that also constitute a violation of the law will be pursued by the appropriate authorities.
Decisions made by admins or organizers regarding all disputes are final.
Grievances, concerns, questions, criticisms, complaints, or comments should be made to admins or organizers. Discord moderators are not admins or organizers; they are there only to keep order on the server.
Flag hoarding, interference, or tampering with challenges outside of your team's instance is not allowed. DDoS/DoS attacks are strictly prohibited.
These rules are subject to change at any point without prior notice at any point up to 48 hours before the contest begins. All participants should review these rules in the 48 hours prior to the start of the contest to ensure they are familiar with the accepted version of these rules.
There is no limit on team size. All participants on the team must be officially registered on the CTF site to be considered valid participants.
Teams will be identified by a unique ID that will be used to track flag submissions.
Collaboration between competing teams is not allowed.
The Individual bracket is intended for solo competitors who wish to participate independently rather than as part of a team. Each individual participant is treated as a one-person team for the purposes of scoring and eligibility.
- One account per person. Individual participants must register with a single account and may not create or use multiple accounts or aliases.
- No dual registration. A participant may compete in either the Individual bracket or a team bracket (Academic or Team), but not more than one bracket in the same event.
- No collaboration between individual competitors. Individual participants must solve challenges on their own. Exchanging flags, solutions, or step-by-step instructions with other individuals or teams is not allowed.
- Use of public resources. Individuals may use publicly available tools, documentation, and references, provided such use does not violate any applicable laws, licenses, or these contest rules.
- Shared environments. Individuals working from shared labs or classrooms must ensure they are not sharing solutions or flags, even inadvertently, with other participants.
- Eligibility for prizes. Individual participants must have a valid registration, accurate contact information, and comply with all contest rules to be eligible for any prizes associated with the Individual bracket.
The Academic bracket is intended for teams representing colleges, universities, or similar educational institutions. These rules are designed to keep the bracket fair, educational, and representative of student work.
- Institution affiliation. Academic teams must be composed primarily of participants who are currently enrolled students at the institution they represent. Teams should use their institution name or an unambiguous abbreviation in the team profile.
- Faculty and mentor involvement. Faculty, staff, alumni, or external mentors may provide high-level guidance, context, or coaching, but they may not directly solve challenges, write exploits, or submit flags on behalf of the team.
- One bracket per participant. A student may compete either in the Academic bracket or another team/individual bracket, but may not appear on multiple rosters or submit flags for more than one registered team.
- Multiple teams from the same institution. An institution may field multiple teams, but those teams must not share flags, full solutions, or step-by-step walkthroughs with each other during the contest.
- Compliance with institutional policies. Academic participants are expected to comply with their home institution’s acceptable-use, academic integrity, and conduct policies in addition to these rules.
- Prize eligibility and verification. Academic bracket prizes (if offered) may be subject to additional verification, including confirmation of enrollment status or institutional affiliation. Failure to verify may result in disqualification.
- Use of institutional resources. Use of campus labs or networks is permitted only where it complies with the institution’s policies and does not disrupt normal operations or violate any laws or third-party terms of service.
A full detailed list of participant conduct rules can be found on the dedicated Code of Conduct page.
The CTF is a contest of skill. No purchase is necessary to enter. No sponsorship is offered or implied. By entering the CTF participants agree to abide by the Official Rules and decisions of the contest organizers. The CTF organizers reserve the right to refuse, withdraw, or disqualify participants at their sole discretion. Contest prizes are awarded to participants at their sole discretion.
Contest winners are eligible only with valid registration and participation in the CTF. A valid e-mail address must be provided at sign-up. Delivery of contest prizes will be done digitally using this address.
A winner will be declared when the first of two conditions are met. First, the contest ends at the specified time. In this case, the team with the most points at the time the contest ends will be declared the winner. Second, when a team solves all available challenges and earns all available points, the first team to do so will be declared the winner.
In the event that the contest closes and there is a tie score, a tie breaker challenge will be issued and the first team to correctly solve it will be declared the winner.
The following principles guide how organizers, admins, and moderators interact with participants throughout the contest:
- Organizers will not provide direct assistance or solutions. They may help contestants understand the rules, environment, or intended direction of a challenge, but will not offer step-by-step exploit guidance.
- Organizers will not lie to contestants. Hints may be indirect or intentionally limited, but deception intended to mislead players is not permitted.
- Organizers respond in their own time. Assistance is voluntary and subject to organizer availability. When a question concerns a previously explained issue, organizers may restate or rephrase a clarification.
- Where participants ask matters. Private messages are for direct communication. The Discord channel is primarily for announcements and indirect, high-level assistance.
- How participants ask matters. Clear questions receive clear answers. Vague questions indicate uncertainty; organizers may help guide participants toward understanding but will not provide direct assistance.
- What participants ask matters. Organizers will not provide information that was not explicitly requested. Answers remain limited to the participant’s stated topic.
- Mistakes are corrected when verified. If organizers confirm that a genuine error exists, it will be fixed. If an issue remains unchanged, it is not considered an error.
- Challenge changes are announced in advance. Any modification to challenge content, wording, or scoring will be announced publicly to ensure fairness.
- All downloadable challenge files include checksums. This ensures participants can verify file integrity independently.
- Organizers do not participate in the competition. No organizer, admin, challenge author, or infrastructure engineer may compete in any bracket.
- Challenge authors do not assist participants on their own challenges. Assistance must be routed through an organizer not involved in that challenge’s creation.
- All participants receive equal access to information. Private clarifications that affect gameplay will be reposted publicly.
- Organizers reserve the right to intervene to maintain fairness. Scoring may be adjusted, challenges frozen, or corrections issued to address unforeseen exploits or ambiguities.
- Organizers do not review or validate participant tooling. They will not test your exploits, scripts, or methodologies—only your flag submissions.
- Organizers will not reveal solutions before the contest ends. Official explanations and write-ups are provided only after the event concludes.
- Organizer confidentiality is mandatory. Participant data, private messages, and communication logs are handled with discretion and used only for contest operation.
- Organizers may disqualify participants for misconduct. Any disciplinary action follows a documented process and is not taken arbitrarily.