Rules of Engagement

We will have a Zero Digital Footprint policy. Other than the submitted report, all material collected will be deleted in accordance with HMG IA guidelines (Erased with a min. of three rewrites) (On Windows, use ERASER ). At any point, if you think an action will impact an operational system, you are not to conduct the activity without express permission from the gamemaster.

The 'Safeguard' rule is in force.


All systems and public facing information are authorized to be used in order to map the network and organizational structure of each institution. However, once vulnerabilities have been located and the flag has been identified, the attacker must cease once it has located a login screen, in any form. No brute forcing of credentials or systems is authorized. However, if credentials are located via other public sources (pastebin, hacker forums etc), these details are authorised to be documented in the exploit action plan that will be submitted with the paperwork, and the source must be referenced. Any types of probing that are stated as *active* have to be requested via each institution's Gamemaster and then related to the security teams of both institutions. In establishing the flags (i.e. screenshots) they must only be conducted within working hours in case there are any operational impacts of these events.
Primary Communications, Command and Control aspects of this exercise will be run by the Gamemasters. These will be in constant communications with each other within the Fleep chatroom “Exercise Mercury Gamemasters”. A communications check will be conducted 30 minutes prior to the start of the exercise on each day. Fallback communications will be established via telephone (details will be exchanged before the serial start).

All communications with the Gamemaster (Vulnerabilities and reports) are to be submitted via the Flag Submit form and encrypted using the PGP public key for this exercise