Give Us your Best (Or Worst) Zero-day VulnS.

The Junkyard is a platform to showcase novel security research and support hobby and career development for security researchers.

We want you to bring your most impactful, creative, or most meme-worthy bugs in end-of-life (EOL) products, and demonstrate them live on stage. 

Winners get 💰 prizes 💰 to further future vulnerability research. First 20 submissions accepted will get additional swag!

What’s In SCOPE?

Any product (software or hardware) publicly listed by the vendor as EOL-ed at least one day before submission.

In keeping with the conference ethos, we also require that:

- You commit as the researcher to responsible disclosure of the vulnerability (60-90 day disclosure windows with vendor); 

- You conducted your research in accordance with US law and ethical practices; and

- You are not under any restrictions or sanctions from the US. 

PRIZES

Prizes will depend on final sponsorship support, but are expected to range from $100 to $5,000 USD. These may change in cases of exceptional brilliance or lack thereof. All prizes and acceptance of results to the event are at DistrictCon’s sole discretion.

Prizes will be awarded in the following categories to the top 2 scorers (winner and runner up), so plan accordingly:

❗ Most Impactful System ❗

🤡 Best Meme Target 🤡

😈 Most Innovative Exploitation Technique 😈

WHAT SHOULD I EXPECT / How does the contest work?

1️⃣ Submit Your Target to DistrictCon

- Fill out the form on this page, tell us what target you're exploiting, and how much help you'll need with disclosure. Get proof that the target is EOL.

2️⃣ Disclose the Bug to the Vendor 

- We can help if needed!
 
3️⃣ Create a Cover Name, 5-10 Min Talk + Demo

- Attendees won’t know what your target will be until you reveal it on stage! The cover name is for the agenda.

4️⃣ Give us your Target Ahead of Time to Prep for Demo

- We'll restore the target to a default configuration (in consultation with you) and prepare to have it on-stage for you to demonstrate against. If this doesn’t work for you, the item is big, etc - we’ll work with you for a video option, or try and source the device locally. 

5️⃣ Compete and Win! 💰

When you come up on stage, you’ll share:

- Who you are, as much as you want

- The target, and why it matters

- Demonstrate the bug, explain how it works and the impact.

- Nothing will be live-streamed or recorded without your permission.

Frequently asked Questions

1) Is an EOL software or product in scope, even if there are components within it that are not EOL?

A: Yes, but there are caveats: the spirit of this event is to help identify and notify vendors of vulnerabilities in EOL software or products, and all submissions should be in this spirit.
If an EOL item has components that are not EOL within it, that’s fine. However, non-EOL components should not be the focus of the vulnerability or chain - we are not looking for exploits in current systems. If you have questions, please reach out via the submission process and we will work with you to ensure the submission is appropriate for the event.

2) What should my Junkyard pitch at DistrictCon look like? 

For the maximum audience enjoyment and clarity of your awesome work, we prefer you presenting a live demo against the EOL system. We know this won't always be practical, so we will work with you during submission review to find the right way. As part of your demonstrated chain, the judges are (among other things) looking for proof of control and execution. 

Given the broad swath of valid targets, we know this may differ in what that means, but two "traditional" examples are to pop a shell and confirm root privileges, or demonstrate arbitrary code execution.

3) What is EOL for Open Source, specifically with an archived repository? 

If the software you’re attempting to exploit is an archived repository, first ask if (a) the software moved to a new home and (b) is the archived repo a fork and the substantially similar project is still active? 

If the maintainer confirms they are not maintaining the given version or product, you should be good to go. Otherwise feel free to reach out to the DistrictCon Junkyard Team via the submission process, or via outreach@districtcon.org with additional questions.

4) What if I have multiple bugs? Can I submit multiple entries?

Sure! The more targets the merrier. If the bugs are all related to a single target they may be combined and condensed into a single demo. Chaining bugs together will likely earn more points with the judges!

I have More questions.

Additional details such as the responsible disclosure timelines and any assistance from the conference will be published when available. Please contact outreach@districtcon.org for more details.

In the case of similar bugs, our team will work privately with the submitters to deduplicate appropriately.