Only systems, accounts, and endpoints explicitly designated as in-scope by event organizers are authorized targets. The scope will be communicated at event kickoff and posted in the event Discord channel.
Any system, network, device, or account not explicitly listed as in-scope is strictly off-limits. This includes but is not limited to: venue infrastructure, other participants' personal devices, judge/mentor accounts, and production systems.
The organizers (Efficient Frontier Labs and Day Zero) will not pursue legal action against participants acting in good faith within the defined scope. Good faith means: operating within scope, following these rules, and promptly reporting any accidental out-of-scope access.
This safe harbor applies exclusively to actions taken during the event window at the designated venue.
All findings, vulnerabilities, and exploit paths discovered during the event must be reported to organizers before any public disclosure. Participants agree to a 30-day disclosure window from the date of the event, during which findings may not be published, shared publicly, or disclosed to third parties without written organizer consent.
After the disclosure window, organizers will coordinate with participants on any public write-ups or attribution.
- Attacking other participants, their devices, or their accounts
- Denial-of-service attacks against any target, including in-scope systems
- Social engineering of event staff, judges, mentors, or venue personnel
- Exfiltration of real personal data or credentials
- Any action that degrades venue network or infrastructure
- Physical access attacks (tailgating, lock picking, hardware implants)
- Accessing systems outside the defined scope, even if accidentally discovered
Participants retain credit for all discoveries and techniques developed during the event. Organizers retain the right to use findings for remediation, event reporting, and public write-ups with appropriate attribution.
Pre-existing tools, frameworks, and code brought to the event remain the sole property of their creators.
All participants are expected to conduct themselves professionally and respectfully. Harassment, discrimination, intimidation, or disruptive behavior of any kind will result in immediate removal from the event.
Competitive intensity is encouraged. Personal hostility is not.
The event may be photographed and recorded by organizers for promotional purposes. Participants who do not wish to be photographed should notify organizers at check-in.
Participants may not record, stream, or broadcast other participants' screens, techniques, or conversations without explicit consent.
Participants attend at their own risk. Organizers, venue partners, and sponsors are not liable for any loss, damage, or injury incurred during the event. By attending, participants acknowledge this limitation of liability.
Organizers reserve the right to disqualify any participant or team for violations of these rules. Disqualification decisions are final. Disqualified participants forfeit any claim to prizes.
Suspected criminal activity will be reported to appropriate authorities.
By registering for and attending a Day Zero event, you acknowledge that you have read, understood, and agree to these Rules of Engagement. These terms apply to all Day Zero event series activities including The Stakeout pre-event sessions and all main event activities.
Questions or concerns: mail@day-zero.dev