Generally, it’s up to the CTF participants to use their judgment when submitting a bug report to a vendor, Ellis says. “As a vulnerability researcher, I don’t have to tell the company I found something. If I’m doing that, I’m either doing it because I feel like it’s something I should do to make sure it’s operating and disclosing vulnerabilities in the public interest and ensuring things get fixed. Or the additive reason is if there’s a bug bounty program and there’s some sort of reward for doing that, then I’m encouraged to do that. But in the absence of those two things, if I find a vulnerability as a security searcher, it’s my research, it’s my code, it’s my discovery, and what I do with it from that point forward is really still in my hands.”
Complexities surround bug reports from CTFs
Nevertheless, complexities surround discoveries of real-world bugs during CTF contests. “To people that look at it all from the outside, they just see the fact that you’ve got hackers breaking stuff and finding problems,” says Ellis. “Surely, they’re going to disclose those issues and try to get them fixed up in the public interest and all that kind of thing. It’s not necessarily a strict rule in that sense. Just because they found something doesn’t mean that they’re bound to this idea of helping the vendor. I certainly hope they do that.”
However, Chris Evans, CISO and chief hacking officer at HackerOne, thinks that bugs discovered during a CTF event should invariably be reported to vendors. “CTFs are a great way for hackers to test their skills and participate in the joy of hacking,” Evans tells CSO. “This is an excellent outcome, and any hacker achieving this should be praised,” he adds. “When this happens, standard ethics apply. The hacker has discovered a risk that could harm others and is in a position to get it addressed by reporting the issue to the affected vendor. The risk should be reported as promptly as possible to reduce the possibility of harm to others.”
Regarding the incident involving the Apple CTF player who discovered the Google flaw, Evans says, “It’s great that a CTF resulted in the discovery and fixing of a vulnerability in production software. CTFs can be chaotic and confusing environments, so it’s good that everyone worked together to get the best outcomes.”
Ellis draws an essential distinction between CTF events and bug bashes, collaborative events held by an organization designed to unearth many bugs within a short time governed by clear-cut rules that the participants agreed to beforehand. “They look a lot like a CTF, but the thing that’s different about it is that they’re actual systems that they’re going to be fixed at the end of the event. That information is meant to get to the recipient or the person, the organization running the contest. That’s literally its entire purpose. So, the rules, the process, and how that all works is clearly established.”
Capture-the-flag events are far murkier. With a CTF, the environment is usually fake, and it’s a game. “So, if vulnerabilities get inadvertently discovered in the process, which is a thing that happens, then what happens next is far less clearly defined,” Ellis says.