Zer0Fest is a new concept of bug pwning 'festival' for better security organized by POC.
Zer0Fest will be held in POC and Zer0Con.
Zer0Fest2017 will be held on November 9 ~ 10, 2017 at POC conference.
Adobe Flash Player, PDF Reader Apple iOS(latest), macOS Sierra(latest), Safari(macOS, iOS) Android 7.x/6.x, Chrome(Windows, other OS Microsoft Edge, Hyper-V, IIS 7.x/8, Office, Windows 8.1/10 Mozilla Firefox with TOR Samsung Galaxy Note8, S8 VMWare Fusion, Workstation ETC Apache Web Server, CentOS(latest), Dovecot, Postfix, Sendmail, Ubuntu(latest)
|Messenger(Mobile)||Kakaotalk, Signal, Telegram, Threema, Wechat, WhatsApp|
|Network Device||Cisco, D-Link, Huawei, IMB, Juniper, Linksys, TP-Link|
|Antivirus||AhnLab, Bitdefender, Kaspersky, McAfee, Symantec, TrendMicro, WinDefender, Qihoo360/td>|
|ETC||Apple Pay, Alipay, Hancom Office, SamSung Pay|
Download and read the full document.
Zer0Fest2017 will be held at the K-Hotel on November 9th ~ 10th, 2017 during POC2017 in Seoul, Korea. # Eligibility - There is no limitation on the participants' registration except for employees of Organizer - A participant is not eligible for the products of his own company. - A participant must provide valid and accurate information which will be included in the registration form provided by Organizer. If the information provided by the participant is not true, the participant may be disqualified. Organizer has rights to decide the disqualification of any participants. - Employees of sponsors and their respective affiliates, subsidiaries, related companies, and judges are also eligible to participate in Contest. However, a judge is not eligible to participate as a contestant in the target that he is appointed as a judge. # Registration - A participant can register on the Contest website(https://goo.gl/QgVXjZ). - In case of some problems occurred in the website, a participant can contact through Organizer (firstname.lastname@example.org) directly with the following information: name, email address, his target(s). And then, Organizer will get in contact with the participant directly. - The deadline of registration is 24:00(UTC+09), October 31, 2017. # Online Participation A participant can participate online. If a participant does not present at the venue but willing to participate online, he or she must send Organizer all information including detailed technical paper and exploit code by November 6, 2017. The online participants have priority in the order of exploitation when they have a same target. # Targets and Prize All targets and related operation systems will be updated to the latest and fully patched version available no later than 24:00(UTC+09), November 8, 2017. All target software will be installed and configured as the default configuration. The targets are divided into two categories: - Target Category-1 is basically rewarded by Organizer, sponsors, and vendors. - Target Category-2 is rewarded by sponsors and/or vendors. If any participant who has 0-days wants to add new target(s), he can contact and ask Organizer by October 10, 2017. If new targets are added, the target list will be updated. In the Target Category-2, if a participant is not satisfied with the reward that vendors suggest or vendors don't pay, the participant does not need to submit his research to Organizer. Judges only will decide the existence of any bugs and notice the existence of the bugs and name of participants in the internet for credit and profit of the participants. The participant can do at his own disposal. This is for the sake of bug hunters' profit and fame. The blanks of two reward parts will be updated by October 31, 2017. And the reward may be increased if vendors and sponsors will join to support the reward. The more vendors and sponsors, the more reward. The reward starts with Basic Reward on September 18, 2017 and Organizer will keep updating it. The final reward will be decided on October 31, 2017.
In the case of network devices, judges will check the technical papers submitted by participants. If he wants to bring the target devices, he must inform Organizer to bring them two weeks before Contest. Judges can check the devices for the sake of fair contest management. # A Best Hacker The contestant who succeeds in pwning his target(s) with best techniques will be awarded with a chance to attend Zer0Con2018 and POC2018 for free. Organizer and judges will decide who gets the reward based on their technical performance and announce at the closing ceremony of POC2017. # Sponsor(s) For more information about Zer0Fest sponsorship profits, contact Organizer to "email@example.com" with PGP key(http://zer0fest.org/poc.asc). # Restriction of Vulnerability Reuse Regardless of how many targets one contestant participates in, the vulnerability can be used only once for all categories. # Multiple Contestants in One Target If two or more contestants registered for the same target, we will draw a random order for them. Dice will be rolled by Organizer to decide the contest order. The one who get the most dots will be the first and the rest will be done in the same manner. Only the first team that succeeds will get full reward money. For the second and the rest teams, if vendors are willing to offer reward money, the contestant will be noticed before starting the demonstration, otherwise, there will be no reward money. # Time Limitation A contestant will have 3 exploit attempts during his demonstration; each attempt must be finished within 4 minutes. The time used for network and device configuration will not be counted. # Miscellaneous - By participating in Contest, a participant must warrant that he is a sole owner of all the rights related to his vulnerability and exploit code. - A participant must warrant that his vulnerability has not been reported to vendors or third parties. - The contestant is responsible for any kind of legal problems which may occur from his trials to compromise targets. - All participants agree to fully indemnify Organizer from any and all claims by third parties in relation to Contest. - Organizer may cancel Contest without prior notice in the case of force majeure causes that are beyond the reasonable control of Organizer, including but not limited to fire, storm, earthquake, wars, revolutions, riots, civil commotion, national emergency, and act or order of any court, government or government agency. - Organizer can use contestant's information including but not limited to name, email, phone number only for the sake of running Contest properly. - Organizer reserves the right to change the rules of Contest for more reasonable Contest management and participants' profit without notice. - Organizer will contact participants and notice on the website if any changes happen.