
Besides vulnerabilities in specially designed services, there are vulnerabilities common for real information systems: weak passwords, known vulnerabilities in OS/services, errors in configuration, real vulnerabilities in web applications (such as popular CMS).
During the competition, changes in the system can be made that can lead to additional vulnerabilities to competitors’ services. Competitors’ goal is to detect the vulnerabilities, eliminate them in their servers and do not break the server operation. Competitors also should use similar vulnerabilities on competitors’ servers to capture flags.