Offensive Security is happy to introduce our User-Generated Content (UGC) program. The program is open to the community and successful submissions will make their way to our PG Play, PG Practice, or other lab offerings where they will be exploited by thousands of users. All UGC is subject to a strict approval process by our Labs team. If accepted, and upon the successful completion of your submission review, you will receive compensation for your efforts.

Read on to learn more about the several classes of requirements. As more of these requirements are met, the higher the payout per machine.

Submission payments:

Up to $300 REWARD

  • Fully functioning VM
  • Presentable and accurate walkthrough
  • Easy to understand and follow build script
  • CVEs no older than 18 months
  • MITRE framework alignment


  • Fully functioning VM
  • Presentable and accurate walkthrough
  • Easy to understand and follow build script
  • Unique or original machine build
  • Impeccable Exploit chains and overall concept
  • Clear descriptions of the lessons the box is designed to teach
  • MITRE framework alignment

Up to $1500 REWARD

  • Fully functioning set of "grouped" or "chained"* VMs
  • Realistic Penetration Testing scenarios only (no CTF-like machines for this payment tier)
  • Presentable and accurate walkthroughs
  • Easy to understand and follow build scripts
  • Unique or original machine builds
  • Impeccable Exploit chains and overall concepts
  • Clear descriptions of the lessons the boxes are designed to teach
  • MITRE framework alignment


All virtual machines submitted to Offensive Security via the UGC program will be reviewed in detail by our labs team. This ensures your submission meets the same high standards that the virtual machines developed in-house do. All submissions have guidelines and stipulations that you need to adhere to in order to be accepted. Please read these guidelines in detail at our FAQ here.

Approved, qualifying submissions are eligible for a reward based on tiered categories. Offensive Security reserves the right to refuse any submission. Offensive Security is wholly responsible for determining the category the submission belongs to.

Submitted systems will likely fall into one of two common scenarios:

  • Capture the Flag (CTF) style targets: These targets offer fun and challenging puzzles but are often not the realistic scenarios you would likely encounter in a real assessment.
  • Realistic penetration testing scenarios: These targets provide realistic scenarios of the sort you are likely to find while conducting a modern assessment.

Only authors with 200 or above level certifications are eligible for bounties greater than $300.

NEW for February 2021: Only Windows** and POSIX based operating systems (UNIX/LINUX) will be accepted for review at this time. Unfortunately, we cannot accept any other proprietary or commercial operating system submissions.

Submissions may meet varying levels of completeness, which will impact the compensation offered. We have detailed requirements, including alignment with the MITRE framework, exploitation walkthroughs, and system build scripts for each submission. All of this information is detailed in our submission FAQ.

* Please see our FAQ for an explanation of “grouped” and “chained” machines.

** We currently accept Windows machines from Windows 8.1 and Windows Server 2012 onward.

Wrapping Up

Offensive Security is renowned for our high standards and we apply those same standards to all submissions. Your submission will be reviewed by our labs team, who will review every detail of your virtual machine and documentation.

Your compensation will be based on the contents of the submission, including the actual exploit path, the creativity demonstrated, and the completeness of the submission.

The more effort you put into your submission the greater the compensation awarded to you.


  • Be creative
  • Be original
  • Try Harder


  • Don’t submit copied, similar, or otherwise plagiarized content
  • Don’t overlook the defaults – things like default Apache pages will be frowned upon
  • root/toor is not a good password combination for this environment

Please be sure to review our FAQ, which details all requirements for a submission, in detail. If you feel you are ready please use the form below to start the process.

Submit Your Machine for Review