FlagForge is a Capture The Flag (CTF) platform that manages user authentication, challenge data, and competitive scoring systems. Given the nature of cybersecurity competitions and the sensitive data we handle, security is at the core of our platformβs design and operations.
| Version | Supported | Notes |
|---|---|---|
| 2.0.0 | β | Current development version |
| < 2.1.0 | β | Pre-release versions not supported |
- Google OAuth integration via NextAuth.js
- Session-based authentication with secure cookies
- Role-based access control (user, moderator, admin)
- Encrypted MongoDB connections
- Input validation & sanitization across all entry points
- Secure flag validation with anti-timing attack protections
- Hosted on Vercel with enforced HTTPS
- Secure CI/CD pipelines via CircleCI
- Secrets and environment variable isolation for sensitive configs
π¨ Do not test on our production domain (flagforgectf.com).
For all vulnerability testing, please use our dedicated staging environment:
This ensures testing does not affect live users or disrupt ongoing competitions.
- Authentication & authorization bypasses
- Injection vulnerabilities (SQL/NoSQL injection, XSS, etc.)
- Server-Side Request Forgery (SSRF)
- Information disclosure & sensitive data leaks
- Challenge manipulation / flag extraction
- Leaderboard tampering
- Session management flaws
- Social engineering attacks
- Physical security issues
- Third-party service vulnerabilities (Google OAuth, Vercel, etc.)
- DoS/DDoS or brute-force attacks
- Issues requiring physical access to infrastructure
Please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Proof of concept (if applicable)
- Suggested remediation (optional)
- Acknowledgment β within 24 hours
- Initial Assessment β within 7 days
- Weekly Updates β provided during investigation
- Resolution β dependent on severity
- Coordinated Disclosure β after patch deployment
- Critical: Immediate compromise, sensitive data breach, or challenge integrity violation
- High: Privilege escalation, authentication bypass, or significant exposure
- Medium: Information disclosure, sanitization flaws
- Low: Minor misconfigurations, low-impact leaks
- Validate and sanitize all inputs
- Use parameterized queries
- Handle errors gracefully (no sensitive debug info)
- Keep dependencies updated
- Follow secure coding guidelines (OWASP Top 10, CWE)
- Never hardcode credentials in code
- Use environment variables for secrets
- Implement strict session handling
- Follow OAuth & cookie best practices
- Rate-limit flag submissions
- Harden flag validation against timing attacks
- Store challenge files securely
- Ensure challenge isolation between users
In the event of a confirmed incident:
- Immediate containment actions
- User notification (if applicable)
- Root cause analysis
- Patch & remediation
- Post-incident review & policy updates
π§ Primary Contact: security@flagforgectf.com
π GitHub Issues: For non-sensitive discussions
β± Response Time: 24 hours for acknowledgment
FlagForge adheres to:
- OWASP Secure Coding Guidelines
- Secure SDLC practices
- Regular penetration testing & assessments
- Automated dependency & vulnerability scanning
We value the contributions of the security community. Researchers who responsibly disclose vulnerabilities may receive:
- Public acknowledgment (with consent)
- Credit in release notes
- A permanent spot in the Hall of Fame
Last Updated: September 2025
Next Review: June 2026