× RESPONSIBLE DISCLOSURE

This contest has a strict responsible disclosure policy, and responsible disclosure on the part of contestants is encouraged and supported. All 0-day vulnerabilities submitted to this contest must at some point be disclosed to the affected manufacturer prior to its demonstration at the contest area.

If I disclose the vulnerability to the manufacturer, will it still qualify as a 0-day?

Yes, but you must do so through the proper channels. You may submit your vulnerability details through iDEFENSE, Mitre, ZDI, etc., and even submit details of your vulnerability to the manufacturer. Just be sure to REGISTER YOUR EXPLOIT with our contest at the same time. This way, even if the manufacturer discloses the vulnerability prior to the contest you can still get full credit.

How can I trust you with these vulnerability details?

That's up to you. We're trustworthy guys, but you may not know us. You may withhold essential vulnerability details at registration, but must disclose the full vulnerability at the contest. Just be sure to submit enough information that we can verify the authenticity of your claim at that time. We recommend you submit a cryptographic SHA-256 sum of your vulnerability write up at registration, so that we can verify you in fact had the full vulnerability details at that time.

Will you disclose vulnerability details prior to the contest?

No. But if you've discovered something terrible, we will encourage you to do the right thing and tell the manufacturer as soon as possible.

Will you help me disclose a vulnerability prior to the contest?

We can point you in the right direction, but for legal reasons you're essentially on your own.

What if I disclose the vulnerability details myself, will it still qualify as a 0-day at the contest?

No.

What is the appropriate amount of lead time to give to Manufacturers before making my research public?

This could vary on a case-by-case basis. Certainly, situations may arise that warrant different ways and times by which vulnerabilities are publicly disclosed. The severity of the vulnerabilities found, the affected number of users, the manufacturer's responsiveness and requests for more time, the ability of users or manufacturers to address the issue, etc., could all play a part in what makes the most sense for determining lead time. You should however think in terms of weeks, not days. There is no question that notifying the manufacturer as soon as possible after confirming a vulnerability is the most responsible thing to do.