CTF Rules

Trace Labs CTF Rules

Since the Trace Labs CTF involves real people, we must be very strict with our rules. Most of these rules are designed to ensure there is no criminal activity by contestants but also to ensure we are respectful to missing person and their family.

Please follow the rules. While we know there may be misunderstandings, our CTF involves real people with real families. If you have questions, please ask someone (either onsite or in the Slack channels).

  • Submissions must not use any news/media, law enforcement or missing persons sites as their source. The reason for this is because its too easy and of no value. These submissions will be deleted.
  • To score points, your submissions must be verifiable. This means a link to the public information you discovered. Information behind a pay wall is not worth any points as it can not be verified.
  • Finding the location of a lost person gets the most points and we do often locate these people. However, sometimes this is due to the individual already being found and the police have simply not updated the website. While we won’t give full points for these cases of “location,” we will give some as its still good OSINT.
  • Only registered teams/individuals can participate in the contest.
  • The event organizers may or may not allow virtual participation. Please check with the event organizer on this.
  • Attacking any Trace Labs or hosting group’s infrastructure will result in immediate disqualification and permanent ban.
  • Attempting to exploit any other players will result in immediate disqualification and permanent ban.
  • Contacting the subject, family of the subject or friends of the subject will result in immediate disqualification (this includes tagging, friending, liking or any other interaction). Basically, performing anything but OSINT will result in disqualification. This means you don’t “friend” or comment on any social media related to the subject.
  • Using passwords from publicly available data breaches will result in immediate disqualification. While the data is public, the use of that data is illegal, immoral and not in the spirit of Trace Labs mission. Using tools to see which of their accounts have been breached is acceptable and encouraged.
  • Information that is published by either the police or the media is not helpful and will not score points. We will therefore ignore submitted flags with links to law enforcement or media domains.
  • If you have public data (such as meta data) that is not available via link, show us the process for discovering and it “may” be allowed.
  • You cannot create (fake) the intelligence. We will be checking this.
  • Do not engage the law enforcement or media. At the end, the contest organizers will send local law enforcement everything we collect.
  • Do not try to “game” the system. This includes repeatedly submitting the same information or trying to use categories with higher point values when the intel is not in that category. This may not get you disqualified immediately as we will try to talk to you about it first. However it will greatly reduce the speed at which we process your data which will mean your team’s progress will not be shown on the leader board.
  • Trace Labs reserves the right to enforce any new rules that are reasonable.

If in doubt, ask us. We will be happy to provide guidance. Questions, concerns and recommendations can be sent to: info [at] tracelabs.org or post in our Slack channel.

Get access to our Slack channel by signing up here: