Bug Bounty Village CTF Updates

Here's everything you need to know about the CTF.

Author

Harley Kimball
August 06, 2025

Item

Info

Kickoff

Friday, August 8, 2025 – 10:00 AM PDT

End Time

Sunday, August 10, 2025 – 10:00 AM PDT

Registration

bbv.ctf.ae

Participation

In-person & Remote

Location

Online & Onsite at the Bug Bounty Village, Room W326 (Las Vegas Convention Center)

Note: This information is subject to change. Monitor https://bugbountydefcon.com/ctf for the most up to date information.

How to Maximize Your Experience

  1. Register Early: bbv.ctf.ae

  2. Scan the QR Code In-Person: Unlock dedicated triage review access for bonus points.

  3. Read the Program Page. Once the event starts, sign into the platform and read the program policy page. This will list the scope and instructions.

  4. Write Quality Reports: Clear, actionable write-ups earn more triage points.

  5. Attend Walkthrough & Awards: Learn from the CTF creators and celebrate top hackers.

  6. Leverage On-site Triage: Get feedback in real time and secure leaderboard advantages.

Competition Format

Realistic Bug Bounty Simulation

Compete in an environment seeded with vulnerabilities across web, API, and LLM assets, designed to closely mirror real-world bug bounty challenges.

Report-Based Scoring

Points are awarded for valid vulnerability submissions with high-quality write-ups.

Report Guidelines (Similar to Real Bug Bounty Programs):

  • Submit one report per vulnerability for clarity and proper scoring.

  • A single vulnerability may involve more than one flag. While this isn’t required, related or chained vulnerabilities can be submitted in a single report.

  • Extra points are awarded per flag. Reports with multiple related flags will earn points for each flag, so you won’t be penalized for combining them if they belong to the same vulnerability.

  • Unrelated vulnerabilities require separate reports. Submitting unrelated flags in a single report may result in lost bonus points.

  • Scope matters. To receive points, you must select the correct in-scope asset when submitting your report.

Dedicated CTF Triage (In-Person Only)

In-person participants gain exclusive access to our live triage review system:

  • Scan a unique QR code at the village to unlock live triage access (single-use, non-shareable).

  • Submissions will be reviewed in real time by experienced triagers from bug bounty platforms.

  • Bonus points will be awarded based on report quality, assessed by:

    • Clarity in describing the vulnerability in the title and summary

    • Clear reproduction steps

    • Explanation of potential impact

    • Strength of supporting evidence

  • High-quality reports can be the deciding factor for leaderboard positions, so attention to detail matters.

Note: While all participants can submit reports, live triage and bonus points are only available to in-person participants due to capacity limitations.

Report Update Policy

To maintain fairness and prevent unnecessary triage overhead, once a quality score has been assigned, reports will not be reopened for reassessment unless a triager has made an error in their evaluation. Hackers are strongly encouraged to carefully review and finalize their submissions before sending them for triage, as additional updates made solely to gain extra quality points will not be accepted.

Hybrid Accessibility

Remote participants can still compete and win online prizes but will not have access to live triage reviews or QR-based scoring bonuses.

Individual Participation Policy (CTF)

This CTF is designed to showcase individual skill and achievement, but we recognize that hacking is often more fun (and educational) in groups.

Collaboration Guidelines

  • Collaboration is allowed for learning. Hackers are welcome to discuss, share knowledge, and learn together.

  • Teams may participate using a single account. If you choose to hack as a team, you must register and compete under one shared account.

  • No multi-accounting or flag sharing across accounts. Coordinated play across multiple accounts to stack prizes is strictly prohibited.

  • Prize fairness. No single group or team may claim all or a majority of the prizes. We reserve the right to adjust or revoke rewards if coordinated behavior undermines fair competition.

  • Quality over quantity. A single account per team keeps report submissions manageable and ensures fair triage and scoring.

Compete individually if you want the glory. Learn together because hacking is more fun that way.

Support & Community (Discord)

All participants will have access to our CTF Discord server, where you can:

  • Get support from organizers and triage staff.

  • Receive official announcements and event updates.

  • Occasionally get hints to help you progress.

  • Find collaborators to learn and work with on challenges.

The Discord will be your central hub for staying connected, getting help, and engaging with the community throughout the competition.

Important: After verifying you are a Human, please go to #claim-your-role and select the roles you want to get notified about.

Prizes

In-Person

  • 2x PS5

  • 2x Meta Quest 3

  • 1x Sony WH-1000XM4

  • 1x Hak5 Rubber Ducky

  • 1x Hak5 Bash Bunny

  • 3x Labubu Blind Boxes

  • 10x Bug Bounty Village Badges

Remote

  • 1x OffSec Course & Exam Voucher (Winner’s Choice)

  • 1x OffSec SJD-100 Course

  • 25x SecOps API Pentester Gift Cards

  • 20x Parrot CTF VIP Vouchers

  • 5x PentesterLab Licenses

  • …and more!

Prizes will be awarded in leaderboard order. Each participant may claim only one prize. To receive a physical prize, winners must be present at the closing ceremony on Sunday, August 10th. Online/remote participants are not eligible for physical prizes. Remote prizes are available exclusively for online/remote participants.

Key Sessions

Bug Bounty Village CTF Walkthrough

  • Date & Time: Sunday, 12:00 PM PDT

  • Duration: 60 minutes

  • Format: Live session with CTF.ae

  • Location: Bug Bounty Village (W326)

The CTF creators (CTF.ae) will walk through some of the competition’s most interesting challenges. They’ll demonstrate vulnerabilities in web, API, and LLM assets, explain the exploitation process, and share practical techniques for real-world bug hunting.

Bug Bounty Village CTF Awards

  • Date & Time: Sunday, 1:00 PM PDT

  • Duration: 30 minutes

  • Format: Awards ceremony hosted by BBV Staff & CTF.ae

  • Location: Bug Bounty Village (W326)

Join us as we celebrate the top performers of the competition! The leaderboard winners will be recognized and awarded prizes. A great chance to meet organizers and network with the global hacking community.

GOOD LUCK, HAVE FUN! HAPPY HACKING

Harley, Ariel, and BBV Staff ❤️