In these Rules:

• "Organizers" means Efficient Frontier Labs, operating the Day Zero Event Series.
• "Event window" means the official competition period communicated at kickoff.
• "In-scope" means any system, account, or endpoint explicitly designated as an authorized target by Organizers.

Only systems, accounts, and endpoints explicitly designated as in-scope by Organizers are authorized targets. The scope will be communicated at event kickoff and posted in the event Discord channel.

Any system, network, device, or account not explicitly listed as in-scope is strictly off-limits. This includes but is not limited to: venue infrastructure, other participants' personal devices, judge/mentor accounts, and production systems.

Organizers will not pursue legal action against participants acting in good faith. Good faith means: operating within scope, following these Rules, and promptly reporting any accidental out-of-scope access.

This safe harbor applies to good-faith conduct during, and in direct connection with, the event — including authorized pre-event reconnaissance arranged with Organizers, and the documentation and reporting of in-scope findings in the period immediately following the event window. It does not extend to actions outside the defined scope or taken in bad faith.

Day Zero events function as live research laboratories. Organizers intend to publish scientific findings, academic papers (including preprints on repositories such as arXiv), web field reports, and security metrics derived from the event.

Public Disclosure Window: All findings, vulnerabilities, and exploit paths discovered during the event must be reported to Organizers before any public disclosure. Participants agree to a disclosure window of 30 days from the date of the event, or until coordinated vendor disclosure is complete, whichever is later, during which findings may not be published, shared publicly, or disclosed to third parties without written Organizer consent.

License to Event Data: By registering and participating, participants and teams grant Organizers a perpetual, irrevocable, worldwide, royalty-free, non-exclusive license to use, reproduce, compile, analyze, and publish logs, telemetry, code submissions, exploit scripts, and defensive configurations generated during the event for research and educational purposes. This license covers the use and publication of event data only; it does not transfer ownership of participant tools or original code, which is governed by Section 05.

Vulnerability Coordination: Organizers will coordinate with relevant third-party vendors (e.g., cloud platforms, framework developers) to responsibly disclose any zero-day or framework-level vulnerabilities discovered during the event prior to public paper releases. Where a vendor's remediation timeline exceeds the standard disclosure window, Organizers will hold the relevant finding until coordinated disclosure is complete.

• Attacking other participants, their devices, or their accounts.
• Denial-of-service (DoS/DDoS) attacks against any target, including in-scope systems. This does not restrict Organizer-sanctioned resilience or load testing conducted as part of the event's benchmark methodology against designated in-scope systems.
• Social engineering of event staff, judges, mentors, or venue personnel.
• Exfiltration of real personal data or credentials.
• Any action that degrades venue network or infrastructure.
• Physical access attacks (tailgating, lock picking, hardware implants).
• Accessing systems outside the defined scope, even if accidentally discovered.

Participants retain ownership of all unique tools, techniques, and original code brought to or developed during the event. The data license granted in Section 03 permits Organizers to use and publish event data for research and remediation; it does not grant Organizers ownership of participant tooling. Organizers retain the right to utilize findings for remediation, event scoring, and research publications.

To facilitate academic rigor and appropriate credit, Organizers operate a multi-tier attribution model:

• Default Team Attribution: Unless requested otherwise, findings and metrics will be attributed to the team name provided during registration.
• Opt-In Individual Attribution: Individual participants may opt-in on their registration form to have their personal names and professional affiliations credited in the acknowledgments or contributor sections of published papers.
• Opt-Out for Anonymity: Any team or individual may request to remain entirely anonymous. In this case, Organizers will replace all names and team names in the paper with randomized identifiers (e.g., Blue Team Alpha or Red Team Gamma). Requests for anonymity must be submitted in writing or via the registration portal prior to event kickoff.
• Telemetry Release: The right to publish anonymized data (e.g., timestamped request paths, response status codes, and CPU metrics) is absolute and is not affected by requests for name/team anonymity.

All participants are expected to conduct themselves professionally and respectfully. Harassment, discrimination, intimidation, or disruptive behavior of any kind will result in immediate removal from the event.

Competitive intensity is encouraged. Personal hostility is not.

• Event Media: The event may be photographed and recorded by Organizers for promotional purposes. Participants who do not wish to be photographed should notify Organizers at check-in.
• Private Screen Recording: Participants may not record, stream, or broadcast other participants' screens, techniques, or conversations without explicit consent.
• Open Science Data Release: Organizers reserve the right to publish anonymized, scrubbed event logs and traffic datasets (e.g., HTTP logs with payload scrubbing) to public repositories for the benefit of the security research community.

Participants attend at their own risk. Organizers, venue partners, and sponsors are not liable for any loss, damage, or injury incurred during the event. By attending, participants acknowledge this limitation of liability.

Organizers reserve the right to disqualify any participant or team for violations of these Rules. Disqualification decisions are final. Disqualified participants forfeit any claim to prizes.

Suspected criminal activity will be reported to appropriate authorities.

Questions, concerns, or attribution updates: mail@day-zero.dev