Rules and Details

Bogus “CyBRICS” events precaution

6 December 2022

⚠️ Please Note: competition runners of CyBRICS Capture The Flag 2019, 2020 and 2021 (SPbCTF community) have not announced any plans on holding CyBRICS in 2023.

If anyone invites you to support, endorse or take part in an event claiming to be “CyBRICS”, we advise against looking at previous years’ CyBRICS CTFs to gauge the new event’s level, and suggest treating it as a separate event with no prior history—previous showrunners and challenge developers are not associated with running that one.

More info on SPbCTF and ITMO University in 2022 →

What is it

CyBRICS is a computer security competition (CTF) organized in a cross-university effort by BRICS countries academia.

The event is organized by CyBRICS coordinating universities: ITMO University (RU), SiChuan University (CN), NIT Warangal (IN), IIT Kharagpur (IN), Wits University (ZA), Tshwane University of Technology (ZA).

The competition is made and run by SPbCTF meetups crew (members of CTF teams LC↯BC, SiBears, PeterPEN, Yozik).

What's a CTF

CTFs are competitive hacking events: like ACM ICPC, but in computer security. Teams get a number of tasks or challenges about cryptography, binary reverse engineering, web vulnerabilities, network security, digital forensics, etc — all the topics that computer security engineers work with.

Each challenge has a goal, e.g. find a vulnerability and extract the administrator's password from website database. Upon solving the challenge, team gets a flag — some secret string like cybrics{W3lc0M3_t0_t3h_G4M#}. Team submits it in exchange for points. The team with most points, wins.

To be successful in a CTF, you basically need to know computer systems good and deep.

More info about CTFs on CTFtime website.

Qualification Round

Sat, July 20th, 2019 10:00 UTC — Sun, July 21st, 2019 10:00 UTC (24 hours)

The qualification round is open to any teams, with any number of people.

Jeopardy Format

Online quals are Jeopardy-style. There will be 28 challenges assorted into seven categories:

  • Web — web technologies and vulnerabilities,
  • Forensics — analyzing data formats, logs and digital evidence,
  • Reversing — understanding the algorithm of an executable,
  • Network — messing with packets and examining packet dumps,
  • CTB — Crack-The-Box, getting code execution on a remote box,
  • Cyber and rebyC — miscellaneous challenges, everything else: cryptography, fun quirks, coding, etc.

Each category will have four difficulty levels: Baby, Easy, Medium and Hard.

Dynamic scoring will be used: the more teams solve a challenge, the less it will cost in the end.

Quals Prizes

Top-5 academic teams from each of BRICS countries (Brazil, Russia, India, China, South Africa) will be invited to the on-site Final Round and compete for 18 000 USD prize pool there.

On top of that, XCTF organizing commitee will award the Top-1 team in CyBRICS Qualification Round (not necessarily academic) with a spot in XCTF Finals 2019 (time and place will be notified separately).

Academic Team Status

To be eligible for the on-site Final Round, you need to check:

  1. BRICS — that you're from Brazil, Russia, India, China or South Africa;
  2. Five People — your on-site team has 5 or less members;
  3. University — all those members agree to compete in the name of a single university;
  4. Professor — bring a postdoc or a professor from that university with you on-site (we'll provide an invitation, she's not counted towards the 5 player limit);
  5. Not Too Young — all of your team members are 18+ y.o. at the time of Finals;
  6. Not Too Old — your team scores not more than 5 OFP (old-fella-points).


To make the competition academic, but also not impose strict limits like “only current students are allowed”, we're giving the teams freedom to choose their players, but also limiting how much non-student the whole team is.

  1. If a player is a student at the moment of Finals, he gets 0 OFP.
  2. If a player has graduated in 2019, he gets 1 OFP, in 2018 — 2 OFP, etc.
    Essentially, Old-fella-points mean how many years ago the player was still a student.
  3. To play Finals, the team should be worth 5 OFP or less as a whole.

Final Round

September 23rd — 28th, 2019

The final round is on-site in Saint Petersburg, Russia and will be hosted by ITMO University.

Attack-Defense Format

Top-5 eligible academic teams from each BRICS country are invited to compete in Finals, for a total of 25 teams. Each team has max. 5 members at the table, remote support is not allowed.

Final round will be Attack-Defense. Teams will be given identical boxes with vulnerable services. Points are scored by patching own vulnerable services and exploiting vulnerabilities on the competitors' machines.

On-site Program

  • Seminars and workshops for participant teams and professors;
  • 10-hour final round, Attack-Defense CTF;
  • Cultural program around St. Petersburg for all participants;
  • Meeting of BRICS Network University ITG “Computer Science and Information Security”.

Travel Expenses

We're trying to provide travel support to the participating teams. Current status:

  • India, China and South Africa. Local coordinating universities will arrange the flights for the qualified teams, and teams will get free accommodation in St. Petersburg during the Finals.
  • Brazil. Sadly, we haven't yet arranged travel support for local teams, so we're not covering flights or accommodation.
  • Russia. We're not covering flights or accommodation, but we will send official invitations to the teams' universities, so that they can budget the trip.

Finals Prizes

1st place: 10 000 USD

2nd place: 5 000 USD

3rd place: 3 000 USD

Competition Rules

Don't Ruin the Fun for Players

CTFs allow using any means or tools to solve challenges and outperform other teams.

At the same time, some actions can break the fun for other people. For example:

  • Don't delete flags or break services. While organizers try to maintain challenge resilience, mistakes will be made. Instead of abusing them, report them to the orgas for kudos.
  • Don't share flags or ask for flags. It's a competition, do your personal best.

Don't Ruin the Fun for Orgas

For example:

  • Don't generate excessive load. Bruteforcing or DirBusting will not be necessary, let's keep it down.
  • Don't troll, spam, flood in the chats.
  • Don't register multiple accounts.

Organizers will guard the fun by punishing the fun-ruiners.

Do Your Best and Have Fun

Good luck!


Should any questions arise, please contact us at

Telegram: @cybrics
WeChat: spbctf