Rules in the Qualification Round of WhiteHat Grand Prix 06
03:43:00 | 19-11-2019


1.1. Groups, individuals participating in the competition are willing and voluntary to comply with the Rules of WhiteHat Grand Prix (WGP). 

1.2. All information about WGP can be found on https://Grandprix.WhiteHatVN.com


2.1. Promote the development of information security human resources.

2.2. Stimulate and inspire the learning and skill improvement.

2.3. Strengthen the ability to work collectively, exchange, learn and share experiences internationally

2.4. Find, detect, and assist in fixing vulnerabilities on critical systems and popular software.

3. THEME: Vietnam Today

4. GUARANTOR: Vietnam Ministry of Information and Communications


Authority of Information Security – Vietnam Ministry of Information and Communications

Vietnam Cyber Security Community

6. SPONSOR: Bkav Corporation

7. CHALLENGE AUTHORS: Authority of Information Security, Bkav Team, CyStack, Duy Tan University


The total prize that a team can receive contains bounties from Private Bug Bounty program and the prizes of Attack/Defense competition in the Final Round.

8.1 Attack/Defense

- 1st Prize: 230 million dong (equivalent to 10,000 USD), Champion cup, Certificate from Organizer

- 2nd Prize: 45 million dong (equivalent to 2,000 USD), Certificate from Organizer

- 3rd Prize: 23 million dong (equivalent to 1,000 USD), Certificate from Organizer

8.2 Private Bug Bounty

- Teams will participate in the Private Bug Bounty program on the simulated system. With each Bug found, teams will earn points according to the levels of: Critical, Important, Medium and Low severity.

- Teams will receive additional bonuses from the points earned in the Private Bug Bounty program.


9.1. Who can participate: Groups and individuals from countries and territories all over the world can participate. There is no limit to the number of teams participating.

9.2. Individuals and organizations of the Organizer, admins of are not allowed to participate.

9.3. Individuals and organizations (directly or partially support creating the challenges) of challenge authors are not allowed to participate.


10.1. The Qualification Round: Select Top 10 teams to the Final Round.

Format: Online CTF - Jeopardy at with the contents of: Reverse engineering, Web Security, Cryptography, Pwnable, Miscellaneous.

How to choose 10 teams to the Final Round: Top 10 teams with score top-down. Each country is allowed to have a maximum of 3 teams to the Final Round. The information of country will be checked before the Final Round. Each team is considered to be valid if at least one member of that team has the nationality of that country.

Time to register: 06 December 2019 until the end of the Qualification Round

Time of competition: From 09:00 Saturday, January 04, 2020 to 09:00 Sunday, January 05, 2020 (UTC+7)

How to register: Register online at or

10.2. Final Round: Top 10 teams to the Final Round will compete directly to find Top 3 best teams.

Format: Private Bug Bounty and Attack/Defense

Private Bug Bounty is a program finding vulnerabilities dedicated to Top 10 in the Final Round. The program takes place during the Final Round.


11.1. Strictly prohibit any destructive attack targeting the scoring server or other entities not included in the challenge requirements, DOS/DDOS infrastructure or preventing the performance of other teams.

11.2. Strictly prohibit sharing flags with other teams

11.3. Unless stated otherwise, flag will be in form of “WhiteHat{SHA1(this_is_a_flag)}”.

11.4. On detecting any problems with the challenges, teams should inform the Organizer immediately.

11.5. Strictly comply with the rules and regulations of WGP. Any violation, depending on its severity, will be warned, penalized or disqualified from the competition. Decisions of the Organizer are final decisions.

11.6. There might be hints for the challenges, depending on the performance of teams.

11.7. In case teams achieve the same score, the ranking will be prioritized to the team that submits sooner.

11.8. Teams to the Final Round must send write-up of challenges solved to the Organizer.

10.9. Teams are not allowed to change the country information since the Qualifier officially starts.


This set of rules is regulated by the Organizer and takes effect from the date of issuance. If there is any adjustment and/or change, the Organizer will have timely notification to teams and update on


  • How scores are calculated in the Qualification Round:

1. Point = 500 – (number of teams solved chall)*10 (500>=Point>=100)

2. Firstblood = 10 (Bonus points for the first team solves)

3. Unless stated otherwise, flag will be in form of WhiteHat{SHA1(this_is_a_flag)}

4. Top 10 teams qualified to the Final round shall send the Organizer write-ups for the challenges they solved.

5. Top 10 teams with the highest points from the online qualifier will be invited to compete in the Final Round (expected to be in early 2020).

6. How to choose 10 teams to the Final Round: Top 10 teams with score top-down. Each country/territory has only maximum 3 teams to participate (with the highest points). The registration of country flags will be checked before the Final Round. One team is considered as valid if at least one member of that team is the citizen of that country/territory.

7. Support channel:


Invite link:


  • Rules of the Final Round: To be announced later