Since the OSINTion OSINT CTF may involve real people and real businesses, we must be very strict with our rules. Most of these rules are designed to ensure there is no criminal activity by contestants but also to ensure we are respectful to the people we are researching.

Please follow the rules. While we know there may be misunderstandings, please ask OSINTion personnel when in doubt.

  • If you believe you found a flag, but it is getting rejected, bring it up to the instructor. Validation will occur and you will be provided with further instructions.
  • Information behind a paywall is not worth any points as it can not be verified.
  • Only registered individuals can participate in the contest.
  • This CTF is only accessible by attendees of the appropriate course or conference for which the CTF is in cooperation with.
  • Attacking any infrastructure will result in immediate disqualification and permanent ban.
  • Attempting to login as a person in the CTF or any employee or vendor of a business in the CTF is EXPLICITLY PROHIBITED. Doing so will result in immediate disqualification. While the data is public, the use of that data is illegal, immoral and is not tolerated, endorsed, or condoned by the OSINTion, regardless of how 1337 you may be.
  • If a flag is asking for a password, coming across the password using OSINT techniques and public repositories for submissions sake is permitted. Anything outside this scope will result in immediate disqualification. While the data is public, the use of that data is illegal, immoral and is not tolerated, endorsed, or condoned by the OSINTion, regardless of how 1337 you may be.
  • Attempting to exploit any other players will result in immediate disqualification and permanent ban.
  • For flags associated with people, contacting them, their family, or friends of the subject will result in immediate disqualification (this includes tagging, friending, liking or any other interaction). Basically, performing anything but OSINT will result in disqualification. This means you don’t “friend” or comment on any social media related to the subject.
  • The following actions/tools are not allowed or in-scope:
    • Dark Web
    • Metasploit
    • NMAP
    • Other vulnerability or port scan tools
    • Any hacking technique beyond reconnaissance/OSINT (Google hacking is allowed)
    • Interacting with target companies’ websites, social media, or other assets beyond reading STAY READ ONLY. They shouldn’t be able to track that OSINT has been collected.
    • NO Phishing, Vishing, or other social engineering techniques
  • The OSINTion reserves the right to enforce any new rules that are reasonable. Reasonable is defined by the OSINTion.
  • Most importantly, be safe but HAVE FUN!