Scope of Engagement

Last Updated: April 20, 2026

This Scope of Engagement defines what participants are allowed to do on NexaCTF, what is out of bounds, and how event access and approvals are handled.

1. In-Scope Targets

  • Only challenges and event resources hosted inside this platform are in scope.
  • Only the event(s) you are approved for are in scope for your account or team.
  • Challenge attachments and challenge endpoints provided by admins are in scope.

2. Event Access & Approval

  • To participate in an event, you must submit the correct event access key.
  • A correct key creates an access request with status PENDING.
  • An admin must approve the request before challenge and scoreboard access is granted.
  • When approved, a notification is sent to the user or team members.
  • Access may be revoked at administrator discretion for policy violations.

3. Authorized Activities

  • Solve challenges, submit flags, and unlock hints through normal platform workflows.
  • Use team features (join, leave, invite, rotate code) when team mode is enabled.
  • Analyze challenge files and challenge behavior strictly for competition purposes.

4. Prohibited Activities

  • Attacking platform infrastructure, admin endpoints, or other participant accounts.
  • Credential stuffing, brute force, denial-of-service, or automated abusive traffic.
  • Bypassing event approval/access controls or tampering with score/submission records.
  • Accessing events, challenges, or files not assigned to your approved scope.
  • Sharing private event keys, account credentials, or unauthorized challenge data.

5. Fair Play & Integrity

  • Do not interfere with other users, teams, or active event operations.
  • Do not exploit platform bugs to gain unauthorized points or access.
  • Respect submission cooldowns, rate limits, and moderation decisions.

6. Reporting Security Issues

If you find a platform vulnerability unrelated to intended challenge design, stop testing immediately and report it to administrators with steps to reproduce. Do not publicly disclose it during active events.

7. Enforcement

  • Administrators may warn, suspend, ban users/teams, or revoke event access for violations.
  • Scores, submissions, or approvals may be invalidated if abuse is detected.
  • Repeated or severe violations can result in permanent removal from the platform.

Developed and managed by Raymond Fanuel Terms Privacy Scope About