Skip to main content

Brought to you by

Find and Fix vulnerabilities, it’s our biggest challenge.

Do you have what it takes to find and fix vulnerabilities in source code? Compete against other attendees to be the first to fix all vulnerabilities in a simple python Flask web application. Clone the repo, find vulnerabilities, fix them, and submit your code to get a score. Not sure how to get started? Visit the AppSec community and learn how to use tools that will do the dirty work of finding vulnerabilities for you.

Everything you need to know…

This year, we’ve provided a full suite of unit tests related to site functionality to help you understand what functionality must be preserved while you are fixing the code. There will be another suite of hidden unit tests that we’ll run when you submit your code, which will identify which vulnerabilities you have fixed and which ones you have not. Whoever scores the highest wins!

How to play

Visit to get started.

A basic understanding of programming is necessary to compete in this challenge. If you would like help getting started, come visit the AppSec community – they will help you find and fix one easy vulnerability.


  • Do not try to hack the submission application/server. It is not in scope.
  • All intended functionality is unit-tested. These unit tests are provided to you to ensure you haven’t submitted broken code.
  • Points are awarded for fixing security bugs, and taken away for functionality you break in the process, for a maximum of 100 points.
  • All vulnerabilities scored pose a significant risk to the application and are exploitable. Vulnerabilities will be things like XSS, SQLi, OS command injection, broken authorization, CSRF, XXE, etc.
  • It is possible that you may discover a significant security flaw that is not scored, but we have done our best to avoid this. If you think you have fixed something but it’s not improving your score, it’s more likely that your fix is not sufficient to fully mitigate the vulnerability.
  • Tiebreaks go to the contestant who submitted their code first.
  • You are welcome to collaborate with other attendees; however, do not share your code with each other.
  • You can make a submission every 15 minutes (to reduce load on the testing server). Duplicate submissions will not be scored.
  • The AppSec community will help with learning tooling, methodology, and will give out hints for one specific vulnerability to help participants with this challenge. To ensure a level playing field, hints about other vulnerabilities will not be provided through the community.

Contest Hours

  • Contest Start
    Tuesday – Noon
  • Contest End
    Friday – 9:00a

Booth Hours

  • Tuesday
    10:30a – 5:00p
  • Wednesday
    10:30a – 5:00p
  • Thursday
    9:00a – 5:00p
  • Friday
    9:00a – 10:00a
Do you Love our Contest?

Desktop Wallpaper

Our challenge has desktop wallpaper available for download.