All submitted vulnerabilities must:

1. be the original research of the researcher(s),
2. have had Coordinated Disclosure by the researcher (x-1) at least 60 days prior (x-2) to disclosure at the conference,
3. be in products that have End of Life or End of Support dates at least one day prior to submission, and
4. not be sold or shared to any other third party without DistrictCon consent.

(x-1) If the researcher requires assistance and volunteer capacity is available, DistrictCon or its partner(s) may provide assistance with Coordinated Disclosure efforts.

(x-2) Exceptions may be made to the 60-day rule if the vendor provides acknowledgement or affirmation in support of Disclosure at the conference, or if the vulnerability has been publicly mitigated before the conference.

By submitting to this contest:

• you agree to adhere to the DistrictCon_Code_of_Conduct_Policy_(2024-10-29).pdf,
• you agree to adhere to the DistrictCon Coordinated Disclosure Policy,
• you agree to the DistrictCon_Junkyard_Terms_(2025-05-17).pdf, and
• you agree that you have read, understand and will adhere to the DistrictCon Junkyard Program Brief (this text).

Intellectual Property: You own all rights to your original research.

Coordinated Disclosure Policy and Code of Conduct

All contest submissions are subject to the DistrictCon Coordinated Disclosure Policy and Code of Conduct. Submissions may be rejected if DistrictCon staff determines the submission is incomplete, or deems otherwise appropriate. All participation is contingent upon signing a responsible disclosure agreement with DistrictCon when disclosing all relevant information, which will be provided by DistrictCon staff during the selection process.

Note: DistrictCon cannot grant Safe Harbor for hacking the targets you select; that is between you and the product vendor.

Any product (software or hardware) No Longer Supported by the Vendor.
What does this mean?

• Publicly listed as deprecated / EOL / EOS / EOSS at least 1 day before DistrictCon Year 2;
• Running on a platform no longer supported by the new OS;
• vendor has archived their project (if open source);
• Vendor has told you (via email) that the product or version is not supported;
• Or tell us why you think it matches the intent of the contest!

Submission Template

Copy the markdown below and paste it into your blank submission then fill it out. This will help make sure you include all the info that we need up front.

## Proof of Eligibility
* EOL Date? <date>
* EOL Confirmed by Vendor? <bool>
* EOL Date Source: <image>, optionally with URL it came from

## Presentation Details
* Speaker Names for Display:

| Name | Handle | Phonetic Pronunciation (optional) | Socials (X, Instagram, Linkedin)
| :-- | :-- | :-- | :-- |
| John Doe | hackerguy | John hacker guy doe | 
| Jane Doe | bntyplz | bounty please |
| Anonymous Speaker 3 | n/a | n/a |
	
* Speaker socials, if any:

* Coverterm for talk, for display: <txt>

## Target Details
* Target Name/Model:
* Target Version:
* Target Category: <dropdown: enterprise software, game, other software, IoT hardware, industrial hardware, other>

## Proof of Disclosure
* CVE (optional)?: <txt>
* Coordinated Disclosure Date: <date>
* Coordinated Disclosure Proof: <img>, email or some other proof the vendor was notified

## Vulnerability Details
### Product Overview
Give us a few sentences that explain what the product is, what it does, and why you chose to work on it.

### Description
Tell us everything about your vuln. What does it do? How does it work? Are there any quirks that make it tick or not tick? What's the story about how you found it?

### Steps to Reproduce (Optional)
Explain the conditions that need to be set up for the exploit to work. Explicit numbered instructions that, if followed will guide someone to exploit the vuln.

### Additional Artifacts
Attach and describe any extra code, binaries, etc that you want.

Products with active support.

Submissions presented at the conference will be judged by a panel of humans on stage in front of a live audience.

How does the contest work?

1️⃣ Submit Your Target to THE JUNKYARD
Upload to your ticket in the DistrictCon platform: (1) what target you’re exploiting; and (2) proof that the target is EOL (e.g., from a webpage, announcement, or an email from the vendor confirming it).

2️⃣ Disclose the Bug to the Vendor ASAP

• Check out our Disclosure Guide here. You can also DM our team on socials (X, Bsky, LinkedIn), or email outreach@districtcon.org for help if needed!
• Update your Junkyard Ticket with Proof of Disclosure.Your entry will not be considered until we have this proof.

3️⃣ If Your Entry is Accepted to present at DistrictCon: Create a Cover Name, 10-15 Minute Talk + Demo

• Attendees won’t know what your target will be until you reveal it on stage! The cover name is a fun name to go on the agenda.
• Tell us your name and/or handle as you’d like them displayed.
• Let us know any unique requirements: if it’s huge, power requirements, if you need to play audio from a device, etc.

4️⃣ Compete and Win! 💰
When you come up on stage, you’ll share:

• Who you are, as much as you want
• The target, and why it matters
• Demonstrate the bug, explain how it works and the impact
• Share anything unique, clever, and creative about your exploit development.
• We will live-stream and record only with your permission (last year everyone opted to!).

About DistrictCon

DistrictCon is a DC hacker conference, focusing on hacking together and exchanging ideas over typical talk tracks. We want to grow the community through action and engagement that focuses on the greater good, while also enlightening policymakers. Topics will range from classic hacking topics (binary exploitation and reverse engineering) to infosec policy and geopolitics. We’re building a DC hacker con while keeping it, above all else, a hacker con.
Please check out the DistrictCon website for more information: https://www.districtcon.org/

Is EOL software or hardware in scope, even if there are components within it that are not EOL?

Yes, but there are caveats: the spirit of this event is to help identify and notify vendors of vulnerabilities in EOL software or products, and all submissions should be in this spirit.
If an EOL item has components that are not EOL within it, that’s fine. However, non-EOL components should not be the focus of the vulnerability or chain - we are not looking for exploits in current systems. If you have questions, please reach out via the submission process and we will work with you to ensure the submission is appropriate for the event.

What should my Junkyard pitch at DistrictCon look like?

For the maximum audience enjoyment and clarity of your awesome work, we prefer you presenting a live demo against the EOL system. We know this won't always be practical, so we will work with you during submission review to find the right way. As part of your demonstrated chain, the judges are (among other things) looking for proof of control and execution.

Given the broad swath of valid targets, we know this may differ in what that means, but two "traditional" examples are to pop a shell and confirm root privileges, or demonstrate arbitrary code execution.

What is EOL for Open Source, specifically with an archived repository?

If the software you’re attempting to exploit is an archived repository, first ask if (a) the software moved to a new home and (b) is the archived repo a fork and the substantially similar project is still active?

If the maintainer confirms they are not maintaining the given version or product, you should be good to go. Otherwise feel free to reach out to the DistrictCon Junkyard Team via the submission process, or via cfp@districtcon.org with additional questions.

What if I have multiple bugs? Can I submit multiple entries?

Sure! The more targets the merrier. If the bugs are all related to a single target they may be combined and condensed into a single demo. Chaining bugs together will likely earn more points with the judges!