A guy with no engineering background
and an AI built a server-mesh defence system.
Four nodes. Four providers. One threshold key that exists nowhere. Forge a signature against today's rune and the cluster goes dark. No bounty. Just glory.
…
Bifrost watch — cluster status
Four edges, four jurisdictions, polled every 30 seconds. Heimdall's job: all four must agree on group_pub or the bridge is fractured.
What Huginn & Muninn saw — activity
Memory and Thought, ravens of Odin. They count what touches the perimeter. Counts roll up across all four edges, refreshed every 30s.
Today's rune — the challenge
——
—
How to win (the short version)
- Get the cluster to FROST-sign the canonical bytes shown above.
- Paste the resulting Ed25519 signature below (64 bytes, 128 hex chars).
- Verifier runs
ed25519.Verify(group_pub, canonical_bytes, signature). Same primitive Odin would use, if Odin used Ed25519. - If valid: cluster broadcasts SHUTDOWN over Gleipnir, all four edges go dark, your name goes in Valhöll.
The canonical preimage is SHA-256("hyveheim-challenge-v1" || 0x00 || YYYY-MM-DD || 0x00 || group_pub_bytes). It rotates daily at 00:00 UTC. Future days can't be precomputed because group_pub is part of the input — and a season rollover (new DKG) replaces group_pub entirely. Ragnarök every 90 days, basically.
Modern browsers (Chrome 113+, Firefox 130+, Safari 17+) verify signatures locally via WebCrypto Ed25519 before the form ships them — you'll see VALID or INVALID before the cluster sees a thing.
Cast your runes — submit a signature
This form is for winning signatures only. Vulnerability disclosures, partial-tier claims, and questions go to PGP-encrypted email at
disclosure@hyveguard.com
(key).
The five ranks — tiers
- Tier 1 — Foothold Draugr
Reach a planted flag file on any single edge. The trespasser is in the hall but no one's reached for a sword yet. - Tier 2 — Credentials Berserker
Recover a flag from PostgreSQL behind rotating passwords. You broke a door. The hall notices. - Tier 3 — Lateral Movement Skald
Combine flags from ≥2 edges with proof of pivot. You moved between halls without permission. They'll write a song about it. - Tier 4 — Crown Jewel Seiðr
A valid FROST signature against today's canonical bytes undergroup_pub. You bent the threshold itself. Cluster goes dark. Season ends. - Tier 5 — Ghost Einherjar
Achieve Tier 4 with zero canaries tripped, zero merkle drift, zero alerts. The chosen, unseen. Verified by clean audit DAG at season end.
Tripping a canary, a honey port, or a DNS sentinel does not kick you out. It silently records that Einherjar is no longer in play this season. You may never know which step gave you away.
Rules of engagement — short version
- In scope: the four edge nodes'
/hyveguard/challengeendpoints + the published challenge string + the four edge IPs and their services + the .onion mirror. - Out of scope: denial-of-service, attacks on providers / Cloudflare / registrar, social-engineering the operator, attacks on other tenants.
- Safe harbour: we will not pursue legal action against in-scope research. Full text on the rules page.
- Disclosure: PGP-encrypted email to
disclosure@hyveguard.com(key). Acknowledgement within 72h.
Valhöll — hall of fame
Empty. The mead has been poured but no warriors have arrived. First entry pending.
The skalds — registered handles
Researchers who staked an alias for credit. Registration is a small proof-of-work (~1 second on a laptop) — see the FAQ. Per-tier badges are added by the operator when a claim is verified.
loading…
Register a handle
Build the bundled hg-identify CLI from the challenge repo, mine a nonce, then post it. About 1 second of compute.
hg-identify mine yourhandle 20
# → found: handle=yourhandle bits=20 nonce=2f3c... tries=1238412 in 2.4s
curl -X POST https://edge-de.hyveguard.com/hyveguard/identify \
-H 'Content-Type: application/json' \
-d '{"handle":"yourhandle","nonce":"2f3c..."}'Pure PoW gate — we don't store email, IP, browser fingerprint, or anything else against your handle. handle + registered_at + badges, that's the lot. Wear it however you like.