Rules

  1. Communication throughout the CTF will be via Discord. For all ground truths regarding challenges, questions, and memes join the discord and ask an organizer (with the @org role).
  2. For the qualifying event team size is unlimited. For finals team size is limited to five people.
  3. The top 10 teams will qualify for the finals event in Stockholm, Sweden. Eligibility is subject to an audit to ensure fairness and no cheating.
  4. If you need to cheat, you shouldn’t be here, immediate disqualification. Our qualifying event is easy, only skilled people will have a chance to succeed at the finals.
  5. Would you kick a puppy? Steal candy from a baby? Harming infra is just as bad, immediate disqualification.
  6. Bullying of all kinds is not permitted. Sexual harrasment of any kind is not permitted. Any violations will result in a team's immediate disqualification.
  7. Writeups may be requested from winning teams to attend the finals event.
  8. If you have any issues contact an organizer.
  9. All teams are required to have fun. Apply alcohol liberally (if of age).

Qualifying Event Prizes

  1. First place team will win $512 and 3 Binary Ninja licenses.
  2. Second place team will win $256 and 2 Binary Ninja licenses.
  3. Third place team will win $128 and 1 Binary Ninja license.
  4. The Master of Speed Pwn will win 1 Binary Ninja license. Master of Speed Pwn is the team who successfully completes the most speed pwns in the shortest cumulative time.
  5. The top 10 teams will have travel and hotel covered to come to Stockholm, Sweden to play in the Midnight Sun CTF finals.
  6. Contact to distribute prizes will be made via the email used to register the team.
  7. Teams with members that are affiliated with HFS or Midnight Sun CTF sponsors are ineligible for prizes.

Addendum — EU Sanctions Compliance Statement

  1. Why this clause exists — Midnight Sun CTF & Conference is organised in Sweden and is open to the global security-research community. We believe individual hackers should never be judged by the actions of their governments.
    However, as an EU Member State, Sweden and all legal entities organized under Swedish law are legally bound by EU Council Regulations that prohibit providing “funds or economic resources” to persons or organisations listed under EU sanctions.1
  2. What this means in practice
    • No cash-equivalent rewards (including prize money, travel stipends, accommodation or in-kind vouchers) will be paid, directly or indirectly, to any person or entity that appears on the EU consolidated sanctions list, or that is owned or controlled by such a person or entity.2
    • Russia-specific note — because Russia is subject to the widest and most comprehensive sanctions regime ever adopted by the EU (over 2 400 listings and additional sectoral bans), applicants or finalists who are resident in the Russian Federation should expect enhanced scrutiny.3
    • Corporate & team entries — any company-sponsored team must certify that neither the company nor any parent, subsidiary, director or 50 %+ shareholder is a sanctioned person or entity. Special attention is paid to firms active in cyber-security, dual-use technology, crypto-currency services or logistics, as these sectors are frequently black-listed for sanctions evasion.
  3. Background-check process — finalists from, or with links to, jurisdictions subject to EU sanctions will be asked to provide verifiable information so that we can confirm eligibility. Checks may cover:
    • Identity and criminal-record screening
    • Credit and financial-sanctions screening (incl. OFAC, EU and UN lists)
    • Recent employment and education history
    • Confirmation that travel funding will not violate export-control or dual-use rules
    All personal-data processing follows the principles of lawfulness, fairness, transparency, data-minimisation and purpose limitation under the EU General Data Protection Regulation (GDPR).4
  4. Equal-treatment guarantee — screening is conducted solely to meet legal obligations. Midnight Sun CTF & Conference does not tolerate discrimination on the basis of nationality, ethnicity, race, religion, gender, sexual orientation, disability or any other protected ground under Sweden’s Discrimination Act (2008:567).5
  5. Appeals & liability — if a prize is withheld because of a positive sanctions hit, the entrant will be notified and given the opportunity to prove that the listing does not apply. Under EU law, organisations that withhold funds in good-faith compliance with a sanctions regulation incur no civil liability.6
  6. Contact point — questions about this clause or requests for data-access under GDPR should be sent to [email protected].

1 EU sanctions adopted via Art 29 TEU & implemented by directly binding regulations under Art 215 TFEU.

2 Art 2(2), Council Regulation (EU) No 269/2014 (Russia-related asset-freeze regime).

3 European Commission press releases, 2024-2025: “massive and unprecedented” sanctions against Russia; ≈2 400 listings.

4 GDPR, Art 5(1) — principles of lawfulness, fairness, transparency, purpose limitation & data minimisation.

5 Swedish Discrimination Act (2008:567).

6 Art 10, Council Regulation (EU) No 269/2014 — liability shield for good-faith compliance.