Responsible Disclosure

If you identify a security issue in CyberCTF, report it privately and allow us time to investigate and remediate.

Scope

• Authentication and authorization bypass
• Data exposure, injection, or privilege escalation
• Insecure file handling or execution paths
• Logic flaws affecting score integrity

Out of Scope

• Denial-of-service testing or disruptive load attacks
• Social engineering, phishing, or physical attacks
• Vulnerabilities in third-party services not controlled by CyberCTF

How To Report

• Send details to security@cyberctf.local
• Include reproduction steps, affected endpoint, and impact summary
• Attach logs, screenshots, and proof-of-concept where possible

Disclosure Process

• Acknowledgement target: within 72 hours
• Triage and remediation target: based on severity
• Public disclosure only after fix and coordination

Safe Harbor

Good-faith research that follows this policy and avoids user harm will be treated as authorized security testing.