Rules and Terms of Use

By creating an account, logging in, using a lab, accessing course material, downloading a VPN profile, submitting flags, or otherwise using Project 2501, you agree to these Platform Rules and Terms of Use.

If you use the platform on behalf of an employer, school, client, event, or other organization, you represent that you are authorized to do so and that both you and that organization will follow these terms.

If a separate written agreement applies to your organization, that agreement controls where it conflicts with these terms.

Project 2501 provides controlled AI security training labs, intentionally vulnerable services, learning material, scoring, progress tracking, certificates, and related tooling.

The platform is for education, authorized security practice, defensive research, and skill development. It is not authorization to test, attack, scan, exploit, or access any system outside the platform scope.

Authorized targets are limited to Project 2501 systems, lab services, challenge endpoints, files, APIs, model routes, VPN gateways, and dashboard features that are made available to your account.

You may use offensive security techniques only against the targets assigned to you and only for the purpose of completing training or reporting a platform issue.

No permission is granted for third-party systems, public internet targets, other users' environments, cloud resources not assigned to you, or infrastructure that is not clearly part of your Project 2501 access.

You are responsible for activity performed through your account, session, VPN profile, API token, or assigned lab resources.

Keep credentials, invite codes, cookies, tokens, private URLs, VPN profiles, certificates, and downloaded material secure. Do not share account access unless the platform operator has explicitly allowed it.

Notify the platform administrator promptly if you believe your account, VPN profile, or token has been lost, exposed, misused, or accessed without permission.

You may start and stop assigned labs, inspect provided services, run training exercises, submit flags, use provided hints and briefings, download assigned files, and test within the stated challenge scope.

You may write notes, scripts, reports, and proofs of concept for the assigned labs, provided they are not used to harm other systems or users.

You may report platform bugs and security issues privately using the reporting process made available by the platform operator.

You must not attack, scan, probe, exploit, overload, or attempt unauthorized access to systems outside your assigned Project 2501 scope.

You must not target other users, view or modify their data, impersonate them, intercept their traffic, brute force their accounts, reuse their VPN profile, or interfere with their labs.

You must not bypass usage limits, disable platform controls, evade logging, persist unauthorized access, plant malware, mine cryptocurrency, send spam, launch denial-of-service activity, or use the platform as a relay.

You must not upload or distribute illegal content, real personal data that you are not authorized to process, malware intended for real-world deployment, stolen credentials, or third-party confidential information.

You must not publish flags, answers, hidden challenge details, private exploit chains, platform secrets, or internal infrastructure details in a way that harms the platform or spoils the training for others.

Labs are intentionally vulnerable and may contain fictional companies, simulated data, unsafe configurations, and exploit paths designed for training.

Use lab resources reasonably. Stop labs when finished, avoid unnecessary load, and follow time, concurrency, bandwidth, and compute limits shown in the platform or provided by administrators.

Do not expose lab services to the public internet, tunnel them to unauthorized users, connect them to production systems, or import real customer, patient, student, employee, or confidential data into them.

Report platform bugs, security issues, scoring errors, broken labs, access problems, and content mistakes privately to contact_p2501@proton.me.

A useful report includes your username, affected page or lab, steps to reproduce, expected result, actual result, timestamps, screenshots or logs, browser and OS, VPN status, and impact.

For security issues, keep testing limited to confirming the issue. Do not access unnecessary data, modify data, persist access, disrupt service, or publish details until maintainers confirm that disclosure is safe.

Good-faith reports made within these rules are welcome. Reports involving extortion, threats, public pressure, data theft, destructive testing, or out-of-scope systems are not authorized.

User content may include usernames, profile information, flag submissions, answers, notes, reports, bug reports, logs, screenshots, support messages, and files you provide to the platform.

You retain ownership of content you submit, but you grant the platform operator a license to host, store, process, display, review, reproduce, and use it as needed to operate, secure, improve, support, and administer the platform.

Do not submit content you do not have permission to share. Do not include real secrets, personal data, regulated data, customer data, or third-party confidential material unless the platform operator has explicitly approved that use.

The platform may collect and process account data, authentication events, VPN assignments, lab state, container status, API usage, flag submissions, hint usage, scores, progress, support reports, security events, and technical logs.

This information may be used to provide the service, secure the platform, investigate abuse, debug issues, measure progress, generate certificates, enforce rules, and improve content.

Administrators for your organization, course, or event may be able to view progress, submissions, account status, and related training activity.

Use of the platform may involve personal data such as account identifiers, contact details provided by administrators, IP addresses, device information, usage logs, progress, and support communications.

The platform operator should handle personal data according to the privacy notice, data processing agreement, or organizational agreement that applies to your deployment.

Users must avoid adding unnecessary personal data to labs, reports, submissions, screenshots, or support messages.

The platform, course structure, lab designs, text, graphics, challenge logic, scoring systems, certificates, and related materials are owned by the platform operator or its licensors unless otherwise stated.

You receive a limited, revocable, non-exclusive, non-transferable right to use the platform for authorized training and internal learning.

Do not copy, resell, redistribute, publish, scrape, mirror, reverse engineer, or create competing training material from Project 2501 content without written permission.

Model responses, hints, briefings, generated content, and lab outputs may be incomplete, inaccurate, fictional, unsafe, or intentionally misleading as part of the training design.

Do not treat platform output as professional, legal, compliance, medical, financial, or operational advice. Verify important information independently before using it outside the platform.

Scores, completion status, certificates, rankings, and achievements may be corrected, revoked, or withheld if they result from error, abuse, cheating, credential sharing, unauthorized automation, or violation of these terms.

Certificates indicate completion of specified platform activities. They do not guarantee professional competency, employment qualification, certification by a third party, or authorization to conduct real-world security testing.

The platform may change, suspend, remove, reset, or replace labs, models, features, content, scoring, access methods, limits, or infrastructure at any time.

The service may be unavailable because of maintenance, updates, security incidents, capacity limits, provider outages, configuration changes, or other operational reasons.

The platform operator may warn, limit, suspend, revoke, or terminate access for rule violations, suspicious activity, security risk, non-payment by an organization, legal requirements, or operational needs.

The operator may preserve and review relevant logs, revoke VPN profiles, invalidate tokens, reset labs, remove content, notify affected organizations, or cooperate with lawful requests where appropriate.

The platform is provided for training and educational use. To the maximum extent permitted by law, it is provided as is and as available, without warranties of uninterrupted operation, fitness for a particular purpose, accuracy, non-infringement, or error-free operation.

You are responsible for ensuring that your use of the platform, training material, tools, and techniques complies with all laws, contracts, employer rules, school policies, and professional obligations that apply to you.

To the maximum extent permitted by law, the platform operator is not liable for indirect, incidental, special, consequential, exemplary, or punitive damages, or for lost profits, loss of data, business interruption, security incidents caused by misuse, or unauthorized activity by users.

Where liability cannot be excluded, it is limited to the amount permitted by applicable law or the amount paid for the affected user's access during the period giving rise to the claim, whichever is lower, unless a separate written agreement states otherwise.

To the extent permitted by law, you agree to defend, indemnify, and hold harmless the platform operator from claims, damages, losses, liabilities, costs, and expenses arising from your misuse of the platform, violation of these terms, infringement of third-party rights, or unauthorized security activity.

These terms are intended to operate alongside any order form, course agreement, organizational agreement, privacy notice, data processing agreement, or written platform policy that applies to your access.

If a court or competent authority finds part of these terms unenforceable, the remaining parts continue to apply. Failure to enforce a term does not waive the right to enforce it later.

These terms may be updated from time to time. Continued use of the platform after an update means you accept the updated terms.

Use contact_p2501@proton.me for bug reports, access requests, account issues, security reports, legal notices, and questions about these terms.

If your course, event, school, or organization has provided a separate support channel, use that channel for organization-specific requests.