All participants at NorthSec are required to acknowledge and adhere to this Code of Conduct. The term “participant(s)” includes all attendees, organizers, speakers, sponsors, volunteers, and other invited guests for the duration of the event. We expect cooperation from all participants to help ensure a safe environment for everyone.
This Code of Conduct is not a legal document, but rather a statement of intent regarding the kind of space we want NorthSec to be. The examples enumerated in sections below are not exhaustive and are meant as illustrations of behaviour that does not align with NorthSec’s values.
NorthSec’s Values & Expected Behavior
NorthSec is dedicated to providing a positive and safe event for everyone, regardless of gender identity, sexual orientation, disability, physical appearance, body size, race, religion, age, economic status,education level, OS choices, text editor or scripting language preferences. In particular, NorthSec values diversity, and strives to be a place where historically underrepresented members of the security community can thrive.
Be friendly and welcoming
NorthSec is volunteer-run, hosted by infosec professionals spending countless hours of their free time to create a fun and unique experience for all. We all want to have a good time and share this friendly and welcoming ambiance.
Be patient and constructive
Remember that people are here to learn, share their knowledge, and have fun. However, not everyone has the same skill set, background or native language. Productive communication requires effort: think about how your words will be interpreted, and try not to make assumptions about people’s background. (For some good guidelines on communication in a technical learning environment, check out Recurse Centre’s social rules.)
Be respectful and collaborative.
In particular, respect differences of opinion and differences between people. Do also consider that NorthSec’s organizers, challenge designers, and speakers are volunteers and have expended a great deal of time and effort in creating all the components of the event. Assume any errors you think you’ve found in a specific challenge or presentation were made in good faith.
Alcohol may be served at NorthSec, so please drink responsibly and adequately judge your personal capacity of absorption. Organizers have a right to refuse to serve alcohol to anyone, for any reason, at their sole discretion. If you encounter someone who is intoxicated and you believe they need support or intervention, let an organizer know. NorthSec reminds you that driving while intoxicated is a criminal offence in Canada. If you need to arrange safe transportation, they can assist you in locating a taxi or helping you to navigate public transportation.
Unacceptable Behavior Policy
NorthSec expects all participants to refrain from engaging in disrespectful, disruptive, and unlawful activity while attending NorthSec and to conduct themselves with respect for others at all times.
The following is a non-exhaustive list of behaviours that are considered unacceptable at NorthSec:
- Publishing sensitive, personal and/or private information regarding any participant without that participant’s explicit consent;
- Publishing intimidating, harassing, abusive, discriminatory, derogatory, or demeaning materials about any participant;
- Intimidating, harassing, abusive, discriminatory, derogatory or demeaning conduct toward any other participant;
- Heckling or other disruptions of talks, workshops, and Q&A periods;
- Offensive, discriminatory or inappropriate comments related to gender, gender identity and expression, sexual orientation, (dis)ability, mental illness, neuro(a)typicality, physical appearance, body size, race, ethnicity, or religion;
- Offensive, discriminatory or inappropriate comments regarding a person’s lifestyle choices and practices, including those related to food, health, parenting, drugs, and employment.
- Gratuitous, unwelcome or off-topic sexual imagery or behaviour. Participants are reminded that children are sometimes present at NorthSec events.
- Sexual attention, remarks, gestures or physical contact in the absence of active and affirmative consent. Participants are reminded that under Canadian law, any sexual contact (including touching and kissing) without affirmative consent — either through words or unambiguous conduct — is considered sexual assault. Neither silence nor passivity is sufficient to demonstrate consent under Canadian law. In other words, only yes means yes.
- Intimidation, stalking or following, threats of violence or incitement of violence towards any individual or group;
- Displaying offensive or discriminatory symbols or slogans;
- Inappropriate social contact, such as continuing to make attempts to communicate with someone after they have indicated that they do not wish to speak to you;
- Possession of any item that can be used as a weapon, which may cause danger to others if used in a certain manner.
- Any other conduct which endangers the physical safety or bodily integrity of others.
Speakers, volunteers and sponsors are also subject to the same policies as participants. In particular, speakers and sponsors should not use sexualised images, activities, or other material.
NorthSec operates extensive infrastructure. Apart from the infrastructure specifically put in place for that purpose during the CTF competition, any use of the facilities in place (physical and logical) to hack or commit an illegal act is strictly forbidden.
Some examples of unacceptable behaviour:
- Physically or logically attacking any part of NorthSec’s infrastructure;
- Physically or logically attacking any devices or tools, belonging to other NorthSec participants;
- Physically or logically attacking third-party software, services or infrastructure upon which NorthSec relies (including property of the venue, hotel, or bars hosting afterparties);
- Infringing the rules set forth during the competition (CTF). For instance, not respecting the time limits imposed for some CTF challenges, and not complying immediately when asked by organizers to stop trying to solve the challenge.
Reporting Unacceptable Behavior
If you are the subject of unacceptable behavior or harassment, notice that someone else is being subjected to unacceptable behavior or harassment, or have any other concerns, please notify a NorthSec organizer as soon as possible. All reports are treated as confidential by default. If the person who makes the report wishes to be involved in its resolution, the NorthSec team will not take any steps to do so without their knowledge and consent.
If the person who has engaged in unacceptable behaviour or harassment is a member of the NorthSec organizing team, that individual is required by NorthSec policy to recuse themselves from handling the complaint.
NorthSec’s board members will be available to help participants if they wish to contact venue security or local law enforcement, to provide accompaniment, or to otherwise assist those experiencing unacceptable behavior to feel safe for the duration of the event.
You can report unacceptable behavior to any one of NorthSec’s organizers or you can email the contact address below, which is checked regularly throughout the event.
We will have emergency contact information posted here and otherwise advertised during the event.
Consequences of Unacceptable Behaviour
Anyone asked to stop unacceptable behavior is expected to comply immediately. If a participant is deemed to have engaged in unacceptable behavior, the organizers may take any action they deem appropriate in response, up to and including expulsion from NorthSec and from future events without warning or refund. Appropriate responses to unacceptable behaviour by the NorthSec team will aim to mitigate harm which has occurred, to resolve conflict where appropriate, and to protect participants from future harm. For example, an appropriate response may require an individual to apologize, pay for damaged equipment, or leave a social event.
If there is a conflict regarding what constitutes unacceptable behaviour or regarding the interpretation of this policy, please contact us using the information below.
Security Vulnerabilities Responsible Disclosure Policy
NorthSec organizers take all security issues very seriously and recognize the importance of conserving privacy and security through a responsible disclosure policy. Any security vulnerability found related to the event should be disclosed following this policy.
Information to report:
In order for us to be able to analyze the vulnerability correctly, do provide us with a complete vulnerability report including the following details:
- Vulnerable System/Application: the endpoint where the vulnerability occurs & all related parameters/information.
- Vulnerability Type
- Steps to Reproduce: step-by-step information on how to reproduce the issue.
- Screenshots or Video: a demonstration of the attack.
- Attack Scenario: an example attack scenario may help demonstrate the risk and get your issue resolved faster.
Once we have received a complete vulnerability report, we will take the following steps to address the issue:
- Request you to keep confidential any communication regarding the vulnerability for at least 30 days.
- Investigate and verify the vulnerability.
- Addresses the vulnerability if need be and release an update to patch.
- Responsible disclosure dictates that following your private release to us, we will be provided 30 days to fix the issue before public notification is allowed, in the event that public notification is necessary.
NorthSec’s official photographers will be present during the event and will do their best in order to respect all requests by individuals not to be photographed.
NorthSec reserves the right to publish pictures of the current and past event on the following platforms:
- On our social media feed (Twitter, Facebook, YouTube).
- On our website (nsec.io).
- In promotional materials about the event (event presentation slides, sponsorship packages).
- It is not possible to always correctly identify specific individuals in a large crowd when on-site. However, anyone appearing in a published photograph published by NorthSec, who does not wish to be, can make a request media can make a request to be made unidentifiable by writing to firstname.lastname@example.org.
Any attendee, organizer, volunteer, sponsor, or speaker who takes photos during the event are expected to abide by this policy.
In the context of certain events, alcoholic beverages may be sold or offered to participants. NorthSec will comply with the local laws to regulate consumption of both alcohol and cannabis.
In the presence of alcoholic beverages, NorthSec will do its best to notify participants in advance so that they can plan a suitable mode of transportation and will provide non-alcoholic beverages as an alternative.
Alcoholic beverages, if offered free of charge, might be limited through a voucher system. We invite participants to bring reusable cups so as to minimize the impact on the environment. It is important to note that possessing any illegal substance, including but not limited to narcotics and illegal drugs and that smoking (or vaping) outside the designated areas is strictly prohibited and falls under unacceptable behavior policy.
For any reports of inappropriate behaviour, before, during, and after the conference, please email email@example.com
During the conference and CTF, board members will be on call for any violations of the Code of Conduct that require immediate action or support.
They can be reached on the conference Slack, as well as onsite.
During the training (May 12-15)
During the conference (May 16 & 17)
During the CTF (May 18 & 19)
We also have an emergency hotline available throughout the conference and CTF that will connect callers to on-call board members.