Yandex’s Month of Security Bugs

Yandex, as a large internet company, treats the information security of its users very seriously. To raise the awareness of the importance of information security among our users, we invite everyone interested to participate in an open contest to find vulnerabilities in Yandex’s web services.

All participants have one month to find and report any security-related bugs in Yandex web services. On ZeroNights conference we will announce contest winner who will be rewarded with $5000.

Read more

Competition "Hack me if you can"

Contest allows participants to check their skills in reverse engineering. Participants are offered an executive file for MS Windows. As it starts there is a dialog with a proposal to enter a username and a code phrase. The aim is to understand the verification algorithm and to provide a generator of code phrases for a random name.

First place: Fully reconstructed algorithm of generation and generator of code sequences for any names.
Second place: To describe algorithm in outline and to provide a code sequence for your name (under which a participant is registered).
Third place: To provide a description of code phrases' generation algorithm.

The winner is the first participant who will be able to provide a keygen for random names and a brief description of verification algorithm work principles.

Organizer: ESET

Competition "Hack the SCADA".

At the conference there will be presented a real stand of industrial controller with terminals, where it will be necessary to detect vulnerability.

Unique prize for this contest - practically SCADA-controlled vehicle, controlled via wifi from IPhone.

It is needed to find and demonstrate local or remote vulnerability in our SCADA.

Organizer: ERPScan

Competition "Hack SAP".

The contestants will be offered to detect vulnerability in SAP NetWeaver Java engine 7.02 and to demonstrate it.

The prize for the best vulnerability is Amazon Kindle 3G.

It is needed to find and demonstrate 0-day vulnerability in SAP NetWeaver Java engine 7.02. OR To obtain shell in the system via already known vulnerabilities in SAP NetWeaver Java engine 7.02.

Organizer: ERPScan

Competition "King of the Hill"

Tournament competition for IT security experts.

Gain access to a vulnerable server by any means, and keep it as long as possible; repel attacks of other participants after breaking in. The server is available on the wireless network and contains a number of typical vulnerable system-level and Web applications running Linux with the possibility of LPE.

Goal of the participants is to hack the server as soon as possible.
After breaking in, a contestant writes his name into a special database table.
Every subsequent participant with successful hack attempt rewrites his name.
The task of those who have already reached the top - to defend themselves.
The task of those who have not yet reached the top - to get there ASAP.

The task of those who have not yet reached the top - probably to get there.

You can use any available tools to get access.
Name of the king is read by the counter server every minute.
While the table is unavailable (for example, when the server is in
reboot), all participants receive penalty minutes.
Penalty points are charged to all participants.

Organizer: ONsec Company

Competition "Oday Hunter"

Group tournament for application security researchers. Participants will be invited to examine a Windows application, which contains undisclosed number of typical RCE/LPE vulnerabilities, along with typical anti-exploitation protections. Competitor's goal is to locate as many vulnerabilities as possible, and optionally, to develop exploits for those vulnerabilities.

Types of targets:
- userland input processing vulnerability
- kernel code vulnerability
- exploit code.
Flags: application crash, BSOD, execution of calc.exe via attacker's shellcode.

1. Competitors are free to choose whether to invest their time into
hunting vulnerabilities or developing exploits.
2. Ratings for vulnerability and exploit points will be held separate.
3. Competitors are free to use tools and techniques of their choice.

Organizer: EsageLab

Competition "Wallpaper ZeroNights".

Draw wallpaper with a hacker theme.

The given contest does not oblige you to take part in the event.
Activity variants are to be sent to

The presence of ZeroNights inscription in any performance (0nights, Z3r0N1g4ts and others) is obligatory

Organizer: DefconGroup #7812

Competition "Lockpicking Village".

Would you like to know how locks work and how they can be broken? And maybe you are an expert safecracker and wish to demonstrate your skills? Then check out lockpicking village. Lockpicking is an art of lock opening without using a key and damaging the locks, and besides it is a fascinating action without which any hacker conference doesn’t manage. Within the conference there will be a contest where you can try your luck in struggle against the locks and get valuable prizes.

The contestants are to crack the locks using picklocks within a time limit. It is allowed to use your own picklocks or picklocks, provided by the organizers.

Organizer: DefconGroup #7812

Competition "The best hacking t-shirt".

During the conference we will assess our visitors’ style, namely the uniqueness and originality of t-shirts. So, a person with the coolest t-shirt with hack theme will be looked for by our agents during the conference.

There are no boundaries in hacker spirit expression.

Organizer: DefconGroup #7812

“Clever won’t go uphill, clever will bypass mountain” competition

This contest if for those who like to find the vulnerability in information security means. Contestants are offered to imitate attack on the client place of internet banking system, using the technology of document substitution, or remote control of the client work station.
Used security means: key of electronic signature on smart card, SafeTouch reader is used for the work with smart card.

  • obtained electronic signature must correspond with the message, made in accordance with the rules, described in SafeTouch SDK (signature check is imitated on the client side)
  • physical access to the SafeTouch card is limited only by the possibility of using “+” and “x” buttons to debug the attack (it is prohibited to take out, insert another card, open/replace SafeTouch physically) A remote attack is imitated.

1. Initial data:
  • smart card
  • SafeTouch
  • libraries for the work with smart card
  • example of initial code from SafeTouch SDL, which realize the signature

2. Aim:
    To obtain document electronic signature during the fulfillment of one of the following conditions:
  • on the SafeTouch screen the key requisites are shown, which differ from actually described
  • on the SafeTouch screen during the signature generation no information was displayed.

Organizer: SafeTech

Official support:
With participation of:
Tech partner:
Media partners:
Competitions organizers: