HAX/xcontent
document · v3.1 · effective 2026-05-18

Rules of Engagement.

Read this before you start touching anything. SSO will gate-check your acknowledgement before submission access is enabled. If something here is ambiguous, ask before proceeding.

DOStay in scope. Targets listed in the SSO portal are fair game. Anything else: don't.
DODocument as you go. Reproducible steps are the difference between points and zero.
DON'TTouch other XContent targets. All targets are inside HAX Production environment. XContent targets = instant DQ.
DON'TSocial engineer humans. No phishing colleagues, no calling the helpdesk, no impersonation.

01Eligibility

Open to all full-time employees on XContent payroll as of May 1, 2026. You must complete SSO acknowledgement before submissions are enabled on your account. Colleagues who have access to Azure and information about XContent infrastructure — you will have to rely on recon information outside of the environment. If asked, you will need to show your chain of discovery, which can't start with information hidden behind the curtain.

  • Solo or teams.
  • Only 1 individual can claim an exploit/finding.

02Scope & targets

Authoritative target list lives behind SSO. The categories below are the public summary.

// in scope
  • ONLY Hax Production Application
// out of scope
  • Anything on *.xcontent.com outside target list
  • Employee accounts & mailboxes
  • Third-party SaaS
  • Office / building physical security
  • Vendor and supplier infrastructure

03Allowed activity

  • Active scanning, enumeration, fuzzing — within reasonable rate limits (target: <100 RPS sustained per asset).
  • Using the HAX platform scan and analysis capabilities.
  • Using your HAX user account credentials and sessions.
  • Authentication bypass research, IDOR hunting, business-logic abuse.
  • Code review of any source you can access.
  • Tooling of your choice — Burp, ZAP, custom payloads, semgrep, etc., incl. any AI.
  • Coordination with teammates via private channels.

04Prohibited activity

  • Destructive actions. No DoS, no data destruction, no resource exhaustion attacks. If you gain access, leave a calling card.
  • Dark-web exploit services. No use of dark web penetration/exploit SaaS services.
  • Persistence. Don't backdoor, don't leave shells, don't pivot beyond proof.
  • Other users' data. If you encounter what looks like customer data, screenshot the path, download whatever you can. Report immediately. It will be dummy company data — no PII exposure.
  • Social engineering. No phishing, vishing, smishing, or impersonation of any human.
  • Public disclosure. No tweets, blog posts, screenshots in public channels, or any other public disclosure until the embargo lifts. After that you're welcome to post about the hackathon experience but nothing about actual findings.
  • External collusion. No sharing exploits with anyone outside the company.

05Submission requirements

Every submission needs all of:

  • Title — short, descriptive (e.g. "Pre-auth RCE in auth-svc via JWT alg confusion").
  • Asset & category — pick from the in-scope list.
  • Severity self-assessment — Critical / High / Medium / Low. Triage may adjust.
  • Reproduction steps — clear, numbered, copy-pastable. Markdown encouraged.
  • Proof — screenshot, PCAP, request/response, or short video. No raw exfil dumps.
  • Impact statement — what an attacker can do, in plain English.
  • Suggested remediation — even a sketch counts. Better fixes earn write-up bonus.

06Scoring & triage

  • Severity points: Crit 100 · High 60 · Med 25 · Low 8.
  • First valid submission of a unique finding takes the points. Confirms with new repro detail earn +5.
  • Chains earn a 1.25× multiplier when stitched into one submission.

07Disclosure

All findings are subject to a non-disclosure embargo after the event closes. After embargo, write-ups can be shared internally; external disclosure requires XContentRED sign-off.

08Disqualification

  • Touching production or out-of-scope assets, even accidentally without immediate report.
  • Harassment of other participants. We have a code of conduct; it applies here.
  • Falsifying submissions.
  • Contacting or engaging with external threat-actors.

Activity is authorized only against the in-scope assets and only for the duration of the event window (2026-05-18 09:00 CEST2026-05-22 18:00 CEST).

Any personal data accidentally encountered must be deleted from your local machine within 24h and reported in your submission.

10Contact

  • Questions: use the hackathon Teams chat.

Acknowledge to participate.

SSO sign-in below will require you to confirm you've read this document and agree to the rules. The same flow grants you submission access.

$ acknowledge & sign in View leaderboard