WarGames: Live Operational Intelligence Simulation

You'll breach web apps cloned from live targets - complete with realistic attack surface, access security flaws, and messy code.

No guidance. No hints. Just your tactics battling the timer.

Organised by

THIS ISN'T A LAB. IT'S A WARZONE

Are you In?

Report to the Event Expo Area

Get the Event Code from the Team

Spawn Your WarZone Instance

Begin the Hunt

War Games Prize Pool

🥇 FIRST PLACE

₹50,000 Cash

Barracks SWAG
T-shirts
Official Winner Certificate

🥈 SECOND PLACE

₹20,000 Cash

Barracks SWAG
T-shirts
Official Winner Certificate

🥉 THIRD PLACE

₹10,000 Cash

Barracks SWAG
T-shirts
Official Winner Certificate

How WarZones Work?

DEPLOY INTO REAL-WORLD CHAOS

“Deploy into a Live App — No Training Wheels.”

You will deploy directly into a live, hostile application environment modeled after real social networks, ecommerce platforms, and banking portals. These WarZones are stripped bare and seeded with real-world vulnerabilities.

There are no hints, no walkthroughs, and no hand-holding. What you get is raw code, realistic attack surfaces, and a ticking clock.

This is not a practice lab. This is bug bounty realism.

EXPLOIT OR BE EXPLOITED

“Hunt Vulnerabilities Before Anyone Else Does.”

Find bugs. Report them first.

In this WarZone, speed and precision matter — the first valid report earns the points. Spot a vulnerability too late, and it may already belong to someone else.

This isn’t CTF — there are no solved flags and no participation trophies. Only those who move fast, think sharp, and report clean walk away with credit — the rest leave with nothing but scars earned in code combat.

CVSS Scoring Tiers

CVSS Score Range	Points Awarded
CVSS ≤ 5.0	50 Points
5.0 < CVSS ≤ 7.5	100 Points
7.5 < CVSS ≤ 9.0	150 Points
CVSS > 9.0	200 Points

How Points Are Awarded

Points are awarded based on the CVSS score of each validated vulnerability. Higher-severity findings earn more points.

Each submitted vulnerability will be evaluated, assigned a CVSS score, and rewarded according to the scoring tiers shown.

Duplicate Report Policy

To ensure fair scoring and prevent duplicate-point farming, the following rules apply to all submissions:

If your report is a duplicate of an existing valid report: You may receive up to 10 points.
If you submit a duplicate of your own previous report: You will receive 0 points.
If you submit a duplicate of a report that was itself closed as a duplicate: You will receive 0 points.
In short, the only scenario where duplicate points can be awarded is when you unknowingly submit a report that duplicates another researcher's valid finding.

What You'll Face

A complex, multi-endpoint application built to mirror real-world chaos.
Authentic auth & access controls that won't make exploitation easy.
Reporting expectations — because finding the bug is only half the battle.
Chained vulnerabilities that demand sharp context-switching and creative thinking.

Rules Of Engagement

This is a professional engagement. Act like a professional. Violation of these RoE will result in immediate and permanent disqualification.

Out-of-Scope (Zero Tolerance):
Denial of Service (DoS/DDoS) attacks of any kind.
Spamming, phishing, or any form of social engineering against staff or other participants.
Accessing or modifying data belonging to other participants.
Public disclosure of vulnerabilities. These challenges are created exclusively for participants—do not share or disclose findings.
Automated scanning tools that produce a high volume of traffic. Use your judgment. If you think it might be disruptive, it is out of scope.
We'll try to be as fair as possible. But that isn't always the ideal scenario. So In case of any and all disputes, we'll be more than happy to try and resolve it but the final say and decision will remain with us.