Connect with us

Hi, what are you looking for?


Training & Awareness

Facebook Open Sources CTF Platform

Facebook announced today that the source code of its capture the flag (CTF) platform has been made available on GitHub.

Facebook announced today that the source code of its capture the flag (CTF) platform has been made available on GitHub.

The social media giant says its goal is to help those who want to learn about hacking and allow them to put their skills to the test. The company wants to make security education more accessible to schools, students and non-profit organizations. The platform has been released under a Creative Commons license for use by non-commercial entities for educational purposes.

Facebook’s CTF platform includes everything one needs to run a hacking competition, including a game map, team registration and a scoring system. Some challenges can also be provided upon request, including for reverse engineering, web application security, forensics, binary exploitation, and cryptography. Users can also utilize the Facebook CTF platform to build custom challenges.

There are two types of challenges: trivia questions on computer security, and flag problems that involve exploits and hacks. Flag challenges require participants to complete a task such as dumping a database, getting a shell on the system, or manipulating an application.

“Not only do CTFs have the ability to teach more technical skills than you’ll get in an average computer science program, they can also help you break into the security industry,” said Gulshan Singh, a software engineer on Facebook’s threat infrastructure team. “When I started looking for full-time positions, I found security job interviews to be a lot like CTF challenges, which made it easier for me to demonstrate my technical skills — and I was able to make an impact from day one.”

Facebook CTF

The platform can be set up on a system running Ubuntu (on a physical or virtual machine). Facebook has provided instructions on how to install and use its CTF platform.

The company noted that the CTF is also included in its bug bounty program so vulnerabilities found in the platform itself should be disclosed via that channel.

Advertisement. Scroll to continue reading.

It’s not uncommon for major tech companies to open source in-house developed tools. Last year, Netflix released an XSS flaw discovery framework called Sleepy Puppy and, in March, Google released its Vendor Security Assessment Questionnaire (VSAQ) framework.

Related Reading: Attackers Increasingly Abuse Open Source Security Tools

Related Reading: Password Cracking Tool Hashcat Goes Open Source

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Training & Awareness

Google has announced a new training program for cybersecurity analysts and those who graduate will get a professional certificate from Google.

Management & Strategy

750 cyber specialists have participated in Defence Cyber Marvel 2 (DCM2), the biggest military cyberwarfare exercise in Western Europe.

Management & Strategy

UK-based cybersecurity training solutions provider Immersive Labs announced on Wednesday that it has raised $66 million in new capital.


Series A funding brings the total amount raised by cybersecurity training company to $15 million.

Application Security

Hack The Box Raises $55 Million in Funding Round Led by Carlyle

Management & Strategy

Tips for making a presentation that will help improve the state of security programs and reflect favorably on the presenters and their companies


The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release...