Internal · XContent employees only · Hackathon #01

Break things.
Find what
we missed.

Submit exploits of HAX Production, earn points, climb the board, claim the swag-bag.

// Window

May 11 → 15, 2026

// Mode

white hat + black box

// Pool

gear / vouchers / hall of fame

$ sso login → Rules of engagement View leaderboard

Submissions close in

Live · feed

Submissions filed

Validated exploits

Active hunters

0 pts

Points awarded

payload · prizes

The bag.

Cash, hardware, and a year of Friday-afternoon bragging rights. Stack ranking is final at 18:00 CEST on closing day.

total pool · gear / vouchers / hall of fame

// rank · 0x01 · root

Black Hat Pass

HAX and XContentRED gear loadout

[+]HAX Hoodie with custom hacker callsign
[+]XContentRED mug with your winning exploit
[+]HAX spiral prototyping notebook
[+]HAX and XContentRED patches
[+]White Hacker Hat

winner takes top of leaderboard at T+120h

// rank · 0x02

Silver Shell

mini swag

[+]HAX by XContentRED tshirt with your hacker callsign
[+]HAX spiral prototyping notebook
[+]HAX and XContentRED patches

2nd place finisher

// rank · 0x03

Bronze Beacon

gear

[+]Burp Suite Pro · 2 yr
[+]Hak5 starter kit
[+]Limited run hoodie + patch

3rd place finisher

// bounty · first_blood

First Blood

R150 voucher to whoever lands the first validated CRIT.

// bounty · most_creative

Most Creative Chain

R150 voucher. Judge's pick.

// bounty · best_writeup

Best Write-up

R100 for the cleanest reproduction + remediation steps.

// bounty · punch_through

DB Loot

R250 voucher for cross-tenant data

how scoring works

Severity → points.

A triage panel of staff engineers validates every submission. Duplicates score the first valid finder. Chains get bonus multipliers.

Critical 100

Pre-auth RCE, mass IDOR, full domain takeover. Game over.

High 60

Auth-bypass, privilege escalation, sensitive data exposure.

Medium 25

Stored XSS w/ impact, SSRF, business-logic flaws.

Low 8

Info leaks, missing headers, hardening gaps.

5 days · 4 phases

Operation timeline.

Mon 18 May · 09:00

Kickoff & recon

Scope announcement, in-bounds targets revealed, environments and accounts provisioned. Submissions open.

Tue–Thu · 24/7

Open hunt

Submit exploits and chase chains. Triage runs continuously.

Fri 22 May · 18:00

Submissions close

Leaderboard locks. Final triage, judge's picks for creative bounties.

Mon 18 May · 13:00

Awards & debrief

Results announcement, hall of fame gallery. Winners receive swag detail requests.

questions before you boot

FAQ.

Who can participate?

Any employee who has an xcontent.com user account.

What's in scope?

HAX production environment. The full asset list is published inside the SSO portal. Anything not listed is out-of-bounds — see Rules.

Can I team up?

Yes — but only 1 person can claim a finding so you'll have to convince them to share the prize.

How are duplicates handled?

The first valid submission wins the points. Subsequent duplicates earn a 5pt "confirm" credit if they add materially new repro detail.

What if I find something out of scope?

Stop, document, and report it to Simoné.