Announcing the CTF winners

September 25, 2019


Reading time

Thanks to everyone who participated and helped make this contest a success! These intrepid developers decided to test their vulnerability hunting skills by learning QL, our simple, yet expressive, code query language. The CTF utilized the U-Boot codebase to teach would be security researchers to write queries that find real world vulnerabilities. Our judges had many wonderful entries to choose from, and after reviewing them all, we have two clear winners.

Congratulations to Luat Nguyen and Sergi Martinez, the grand prize winners of the Semmle CTF Challenge. Each of them will receive a pair of Bose Noise Cancelling headphones.

The CTF Champions

1st Place - Luat Nguyen

Winning query Luat Nguyen is a security enthusiast, and loves both hacking and music. He created a very advanced query that found many potential vulnerabilities. It has a detailed explanation for the types of errors he is looking for and shows advanced use of QL. Exceptionally well done!

2nd Place - Sergi Martínez

Winning query Sergi Martinez (a.k.a zlowram) is a Security Engineer interested in vulnerability research, exploit development, reverse engineering, software development and, of course, CTF challenges. When he is not in front of the screen you might find him flying racing drones or riding his motorcycle. Sergi utilized excellent use of QL and really showed how a query can be modified to look for other kinds of problems in a code base.

We also have a number of honorable mentions, for those who wrote excellent queries, and will also receive prizes for their queries. Give a shout out to Filipe Casal, Ben Caller, Nahuel Sánchez, Jesus Camacho, and Bruce Lee for their excellent submissions. These five individuals wrote the next best queries of the challenge. They demonstrated adept knowledge of QL and innovative problem solving techniques.

Want to learn QL?

Do you want to challenge your vulnerability hunting skills? We created these CTF challenges to allow you to do exactly that, while also helping you to quickly learn Semmle QL. There are a few challenges to choose from, so try them all.

Want to learn more about what we do?

At Semmle, we are pioneering new techniques in variant analysis to quickly discover new vulnerabilities and their variants in any codebase within hours rather than weeks. Top security teams at Microsoft, Google, and Uber use Semmle to protect their customers.

Our vision is to secure software, together. With over 1,600 QL queries contributed by the Semmle Security Research Team in partnership with our growing customer community, your security team is instantly extended with the capabilities of the top security researchers on the planet.