Code of Conduct

Rules & Guidelines for Onvio Lab

code-of-conduct.md

Onvio Lab is an assessment platform where web penetration testing skills can be tested and evaluated. Solve real-world vulnerabilities in a safe, controlled environment. These guidelines ensure everyone has a respectful and productive assessment experience.

Enumeration is Allowed

Several challenges in Onvio Lab require reconnaissance and enumeration as part of applicant skill assessment. You are explicitly allowed and encouraged to perform controlled, in-scope discovery.

  • Gather information only within the assigned challenge scope
  • Use reasonable, non-disruptive testing methods
  • Stop immediately if activity appears to affect platform stability

Enumeration is part of the assessment process. Keep all activity lawful, in scope, and focused on your assigned challenges.

No Brute Force Attacks

While enumeration is allowed, brute force attacks are strictly prohibited. You may not:

  • Attempt rapid-fire password guessing on login forms
  • Launch dictionary attacks against user credentials
  • Perform high-volume requests in short time spans without legitimate cause
  • Use automated tools for credential stuffing or password cracking
  • Flood endpoints with requests to bypass security controls

Do Not Attack the Platform Itself

Challenges exist in isolated containers on subdomains. You may never target the core platform infrastructure. Prohibited actions include:

  • Attacking the main Onvio Lab dashboard or authentication system
  • Attempting to manipulate user accounts or admin panels
  • Scanning or probing the production infrastructure
  • Trying to gain unauthorized access to other users' accounts
  • Exploiting vulnerabilities in the platform management system
  • Attempting to access, modify, or delete databases hosting user data
  • DDoS attacks or any denial-of-service attempts

Challenge Environment Boundaries

Each challenge runs in its own isolated Docker container on a dedicated challenge subdomain.

  • Scope: You may only target the challenges
  • Isolation: Challenges cannot affect other challenges or the main platform
  • Resetting: You can reset any challenge you're working on at any time

Flag Format

All valid flags use the onvio{} format.

Expected pattern: onvio{challenge_number_random-hex-string}

Example: onvio{3_a1b2c3d4}

Fair Play & Respect

  • No Cheating: Sharing flags, writeups, or solutions with other users is prohibited
  • Report Issues: If you find a platform vulnerability, report it to Onvio instead of exploiting it

Questions?

If you have questions about what's allowed, please contact Onvio before attempting anything uncertain.

By using Onvio Lab, you agree to comply with this Code of Conduct.

Good luck with the assessment challenges!