User-generated content – targets created by OffSec community

All virtual machines submitted to OffSec via the UGC program will be reviewed in detail by our labs team. This ensures your submission meets the same high standards that the virtual machines developed in-house do. All submissions have guidelines and stipulations that you need to adhere to in order to be accepted. Please read these guidelines in detail at our FAQ here.

Approved, qualifying submissions are eligible for a reward based on tiered categories. OfSec reserves the right to refuse any submission. OffSec is wholly responsible for determining the category the submission belongs to.

Submitted systems will likely fall into one of two common scenarios:

• Capture the Flag (CTF) style targets: These targets offer fun and challenging puzzles but are often not the realistic scenarios you would likely encounter in a real assessment.
• Realistic penetration testing scenarios: These targets provide realistic scenarios of the sort you are likely to find while conducting a modern assessment.

Only authors with 200 or above level certifications are eligible for bounties greater than $300.

Only Windows** and POSIX based operating systems (UNIX/LINUX) will be accepted for review at this time. Unfortunately, we cannot accept any other proprietary or commercial operating system submissions.

Submissions may meet varying levels of completeness, which will impact the compensation offered. We have detailed requirements, including alignment with the MITRE framework, exploitation walkthroughs, and system build scripts for each submission. All of this information is detailed in our submission FAQ.

• * Please see our FAQ for an explanation of “grouped” and “chained” machines.
• ** We currently accept Windows machines from Windows 8.1 and Windows Server 2012 onward.