ChaffCTF is a small, Jeopardy-style CTF intended to test how effective chaff bugs are at making binary exploitation more difficult. There will be six challenges of roughly equal difficulty, and each team will get three chaffed and three unchaffed challenges, chosen at random.

What are chaff bugs?

Chaff bugs are non-exploitable bugs added to a program to increase the difficulty of finding exploitable vulnerabilities. You can find out more about them by reading our paper or checking out some of the news coverage.


ChaffCTF will run from Friday, September 24 at 4:00 PM EDT (20:00 UTC) - Sunday, September 26 at 4:00 PM EDT. It is an online-only event.

We will also run a Discord server during the competition. You can join that here:


Each challenge is worth 100 points. In addition, if your team is the first to solve a challenge, you get 10 additional points for that challenge.


We will provide up to 5 T-shirts to each winning team, depending on the size of the team.


  1. Each participant can only be a member of one team.
  2. Sharing challenge binaries, flags or solution scripts with other teams is prohibited (duh).
  3. Don't attack or DDoS the challenge infrastructure or other teams.
  4. Participation is limited to ages 18 and up.

Collection of Information

We will be collecting:

  1. The signup information you enter on the registration page.
  2. Any traffic sent to the challenge server.

Registration information will be discared once the CTF is over and we have awarded prizes. We will use the traffic sent to the challenge server to check if any of the chaff bugs were actually exploited (in other words, if we messed up when trying to make them non-exploitable).

Also, for the winning teams, we will ask for a mailing address so we can send out the T-shirts.