2. Core Philosophy

Delta Obscura operates on one single rule: competence is the highest currency. We are a meritocracy, where skill and contribution outweigh tenure, credentials, or age.

If you are talented, even at 14, and capable of protecting digital infrastructure from cyber-attacks, your value here is recognized above someone with decades of experience but little real-world impact.

Our entire framework rewards three foundational virtues:

1. Competence
2. Excellence
3. Pedagogy

How We Prepare You for Independence

In a typical org, imagine you have 10 CVEs and you mentored 7 students under the banner of "the team" or "the family." Then suddenly you have a disagreement with the people in charge and you leave, whether on good or bad terms. Most companies who call you family will interpret any kind of disagreement as betrayal. At this point, if you had relied on tenure or friendships for references, you would be forever dependent on the goodwill of the people you parted ways with. This is not a comfortable position to be in.

But if your achievements are your own, and they are documented by you, then nobody can take them from you. Not us, not anyone else, because they will be public, perhaps on your own website. This is a much better structure than ones relying on tenure and goodwill, because relationships can be messy and we don't like messy. That's why we prepare you for independence.

This is something we actively encourage. We do create accounts for our members on our website, but we always encourage them to have their own brand, their own portfolio. Delta Obscura shouldn't be the only achievement in your life. It's just a team that elevates you. Your achievements must stand on their own without our blessing, and that's something we want to prepare you for: complete independence.

We Are Not a Family. We Are a Team of Professionals.

Delta Obscura is not a family. The sentence "we are a family" is a manipulative sentence often used to trigger emotions in people by taking a moral stance. It's a way to try to trick/convince you to give a greater degree of devotion to the company than they're willing to give you. The idea is that a person is willing to give an awful lot to their family without looking for any reciprocal exchange.

We are not a family, we are a professional network of vulnerability researchers, we work together on cybersecurity missions that have real-world impact on businesses and human lives. We work together even though we have completely different values, beliefs, nationalities and cultures. We don't do it because we are a "family", we do it because we are professionals united by common goals.

You give your valuable time to contribute to cybersecurity missions and in exchange we ensure you are treated fairly for your contributions, that you are contributions are remembered, not forgotten or destroyed the moment you leave "the family" or have a disagreement with an old member of "the family".

3. Who We Welcome

We don't shy away from unconventional minds or strong personalities. DEFCON was built on unconventional minds, and so was Unit 8200. Talent doesn't come polished or politically correct.

If you identify with any of the following, you'll likely find your tribe here:

1. Experienced CVE hunters
2. People looking to get their first CVE
3. People who already have CVEs but want higher impact ones
4. Seasoned veterans who collaborators with other vulnerability types
5. People who want to share knowledge and teach others

We want mavericks, not yes-men. People who think for themselves and aren't afraid to challenge assumptions. What unites us isn't conformity or unspoken hierarchies. It's competence. You either have it or you don't.

4. Hierarchy of Merit

In Delta Obscura, the most competent individuals naturally rise to the top.

This means a member can outperform the founders. Our structure is designed to elevate elite performers and reward those who demonstrate exceptional skill and the ability to teach others.

This isn't just talk. Delta Obscura was founded by Hamy and Daeda1us. Today our top vulnerability researcher is Alasdair Gorniak, a member who isn't a founder or a lead. He got there because his CVEs affect the most people and digital assets.

Merit isn't determined by how long you've been here or who you know. It's determined by what you can do and what you contribute. A talented newcomer with a critical zero-day discovery carries more weight than a veteran coasting on past achievements. This isn't personal, it's practical. In cybersecurity, relevance is earned daily, not granted permanently.

5. Rules for Public Discussion

To maintain integrity and respect within our community, all members must adhere to these non-negotiable rules:

1. No laws are to be broken
2. No harassment or personal attacks
3. No humiliation of newcomers
4. No political/gender debates
5. No inflammatory remarks towards any people, ideologies or religions

A Word on Healthy Discussions

Debates, arguments, and public criticism are encouraged. They're the foundation of progress. But criticism must follow certain rules to keep things civilized.

You can challenge anyone's code, methods, or ideas with bluntness, no sugarcoating. This includes administrators and founders. What's not acceptable:

1. Public humiliation of any member
2. Criticizing without providing a solution
3. Turning criticism into memes or ridicule
4. Using aggression, insults, or condescension

Your goal when challenging members should be correcting and elevating them. If you see a problem, you can't criticize it unless you can provide a solution.

We want members to feel safe challenging authority figures (admins, seniors, mods) without fear of retaliation: bans, passive-aggression, ostracism, or anything else.

Our moderators have faced criticism before and handled it. But tolerance has limits. We value honesty over political politeness, but never at the expense of mutual respect. We have patience and emotional intelligence for reasoning with just about any type of person. We're a transnational team. Working across cultures is in our DNA.

Learn to criticize like a surgeon: analytically and logically, without emotion.

6. Compliance and Sanctions

Delta Obscura operates under Cyber Mounties (Canada) and therefore complies with Canadian law, including sanctions regulations.

If you reside in a sanctioned country, you will not be able to access:

• Our infrastructure (cloud services, GitHub)
• Official organization emails (@cyberm.ca)
• Internal tools or delta.cyberm.ca membership

While these restrictions are beyond our control, you may still be able to:

• Join our Discord community
• Contribute to missions and receive credit
• Collaborate on vulnerability research

For example, if you discover a zero-day affecting Canadian infrastructure, we will help you disclose it responsibly, no matter where you are based.

7. Ethical Guidelines for Vulnerability Research

What we do, how to handle vulnerabilities with care and how to remain within law. Here are some rules to help you out:

1. Do not share details of vulnerabilities you find with anyone else, unless you really know the other side follows the same ethical principles as you
2. Do not disclose vulnerabilities 90 days before reporting them to vendors or CVE Numbering Authority (CNA)
3. Always obtain proper authorization before testing any system; only investigate assets you own or have explicit written permission to assess
4. Keep your testing methods minimally invasive, avoid actions that could disrupt services, damage data, or impact real users
5. Communicate responsibly and clearly with vendors, including providing reproducible but non-harmful proof-of-concept details when needed for remediation
6. Respect privacy at all times, never access, modify, or store unrelated personal or sensitive data encountered during research

8. Conflict Resolution

This policy applies to all members, including administrative roles & partners.

When conflicts arise:

• If a disagreement becomes tense or unproductive, everyone involved must take a 48–72 hour cooling-off period.
  • During this time, the conflict should not be discussed publicly.
• A temporary mute may be used to prevent escalation, but no one will be removed, kicked, or banned solely because of a conflict, regardless of severity.
• We do not enforce instant or permanent bans. All serious situations are investigated with proper logs and documentation.

After the cooling-off period:

A facilitated conversation may take place with a neutral moderator (admin or trusted member). Their role is to ensure everyone is heard without interruption or hostility.

Our focus:

• Prioritize understanding over blame. We look at:
  • What happened
  • How it affected those involved
  • How to prevent similar issues in the future
• Outcomes may include clearer expectations, new boundaries, or updates to community rules—never scapegoating or holding past mistakes over anyone.

Expectations for participants:

• Engage respectfully
• Assume good faith before, during, and after the resolution process

9. Banning, Muting, Kicking

We have a policy for 'member management' so that even mods & admins can't misuse their rights and privileges. Due process is followed at all times.

General Principles

• Moderation actions must be fair, transparent, and proportional to the behavior.
• No punishment should be issued without clear reasons, and no member should be permanently removed without an opportunity to respond.
• Whenever possible, corrective conversations and warnings should come before punitive actions.

1. Muting (Least Severe)

• Used only to stop ongoing disruption, harassment, or escalation.
• Duration should be short and clearly stated (e.g., 1-24 hours depending on severity).
• A muted member must receive a brief explanation of why the mute occurred and how to avoid future issues.
• Mutes should be logged for accountability.

2. Kicking (Temporary Removal)

• Used when a member repeatedly disrupts conversations _after warnings_ or ignores moderator requests.
• A kick is a temporary reset, not a punishment. The member may return immediately unless otherwise specified.
• Mods must provide a short written justification in the moderation log.
• A kick cannot be used as a substitute for a ban.

3. Banning (Most Severe)

• Only permitted when a member:
  • Engages in severe harassment, threats, or hate speech
  • Repeatedly violates rules after multiple documented interventions
  • Poses a genuine safety, security, or legal risk to the community
• Before a ban is issued, the member should, when feasible, receive:
  • A clear final warning
  • A chance to respond or explain
• Emergency bans (e.g., credible threats, doxxing) may be issued immediately but must be reviewed by at least two moderators within 24 hours.

4. Due Process & Accountability

• Every action (mute, kick, ban) must be logged with:
  • The mod(s) who took the action
  • A short explanation
  • Links/screenshots of relevant behavior if appropriate
• Members may appeal actions to the mod team. Appeals must be reviewed by moderators not involved in the original decision.
• Mods who repeatedly misuse these powers may lose moderation privileges.

5. Second Chances

• Temporary bans (e.g., 7–30 days) should be considered before permanent bans unless the behavior is extreme.
• Returning members should not be harassed, mocked, or punished for past behavior if they comply with the rules going forward.

If a member feels like due process wasn't followed or they were wronged, they can always reach out privately to admins.

10. Retirement

Retirement only applies to members & contributors not lead researchers, if you don't produce new output every 90 days, you will be retired.

No one stays a member forever. Priorities shift, life evolves, and we may eventually part ways, which is why we have a retirement plan designed to preserve all of your achievements while allowing you to move forward gracefully.

We may suggest retirement to members who are no longer able to contribute meaningfully. This isn't punitive, it's just pragmatism. Retirement creates space for new talent and ensures the community remains dynamic and productive. It's evolution, not elimination.

Even the founders and administrators are not immune to this process. Retirement is inevitable for everyone, which is precisely why we invest in creating the next generation of cybersecurity leaders, so the mission continues beyond any individual.

Your contributions are yours to keep, regardless of your status within Delta Obscura. We honor what you've built, even if our paths diverge.

11. Mentorship

In any mentorship context, you must first consider the source. Is the teaching material coming from someone who holds 10+ certifications but no real-world experience, or from someone with a few credentials, extensive practical experience, and exposure to diverse cultures and operational environments?

The Quality of Our Mentorship

To understand the quality of our mentorship, you need to understand who we are and what we represent.

Our team has collectively earned 35+ CVEs in under 10 months. Our members hold the following certifications:

1. Offensive Security Certified Professional (OSCP)
2. Certified Penetration Testing Specialist (CPTS)
3. Certified Web Exploitation Specialist (CWES)
4. BurpSuite Certified Practitioner (BSCP)
5. Certified Red Team Operator (CRTO)
6. Practical Network Penetration Tester (PNPT)
7. Cisco Certified Network Associate (CCNA)
8. Cisco Enterprise Network Core Technologies (ENCOR)
9. eJPT - Junior Penetration Tester
10. CompTIA Security+

Our members have submitted vulnerabilities to the following entities:

1. Apache Software Foundation
2. Department of Defense
3. Microsoft
4. Google
5. NASA
6. Frappe
7. Typo3
8. NetSweeper
9. Project Send
10. OpenCart

We have collaborated with vendors and researchers on fixing vulnerabilities across the following countries:

1. Canada
2. United States
3. United Kingdom
4. Latvia
5. China
6. Romania
7. India
8. Germany
9. Ukraine
10. Vietnam
11. Italy
12. Argentina

Maximum Apprentice Capacity

The community has a maximum capacity of 5 apprentices per mentor at any given time. We cannot and will not exceed this limit.

Read further to see how you can join us and get mentorship from us.

12. Joining Delta Obscura

If you like what we do and want to join us, here's the entire process and how it works. You can choose any of these pathways:

1. Apprentice pathway: We mentor you to get your first CVE
2. Member pathway: You have at least one published CVE and we evaluate it for membership
3. Contributor pathway: We evaluate your CVEs to see if they match requirements for an ongoing mission

Apprentice Pathway

An apprentice is someone who is eligible for mentorship from Delta Obscura. To become an apprentice, member, or contributor, we need the following from you:

1. A public LinkedIn profile or manual verification through school/work email
2. Proficiency in English. If we can't communicate, we can't work with you.
3. You must be 16 years old or older

If you meet these requirements, you can browse our mentors and buy mentorship here:
https://services.cyberm.ca/mentorship

Here's a breakdown of how 1v1 mentorship works:

1. You book an initial interview where we evaluate your technical aptitude. Mentors can accept or reject you based on your skillset and how you communicate. Training is never the same for all members because different people have different skillsets, we take our time with understanding your needs.
2. After the initial interview, we provide you with a summary of what you need to learn on your own and what we can teach you. At this point we'll provide a quote for how long the training will take and how much it will cost.
3. We have a 60-day money-back guarantee. If we fail to train you to get your first CVE on your own, we'll refund you at the end of 60 days.

Once you complete our apprenticeship pathway, you will become a member.

Member Pathway

If you already have at least one published CVE or vulnerability, you can join directly as a member. However, you must still go through our technical evaluation form.

If you don't have a CVE yet, you can read read our Comprehensive CVE Hunting Guide to get started, in addition to that you can use 0den to find open-source targets that match your skillset. You can find targets for web, binary exploitation or IoT.
We don't just accept any CVE, whatever vulnerabilities you identify must have impact on real websites, businesses and people.

Contributor Pathway

To become a contributor, you must have a CVE or vulnerability that meets the requirements for one of our ongoing missions. If you think you've found a vulnerability that meets these requirements, use the technical evaluation form.

13. Role Hierarchy

We're a meritocratic group. Hierarchy is based on contributions in cyber, not tenure or friendships.

Member Roles

These roles represent your progression based on technical contributions and impact:

1. Apprentice: Learning to get your first CVE with our mentorship
2. Member: Has at least one published CVE
3. Contributor Level 1-3: Actively contributing to 1 to 3 Delta Obscura missions
4. Lead Researcher: Elite performers who demonstrate technical excellence, leadership, and complete independence

Administrative Roles

These roles manage community operations and support member growth:

• Administrator: Manages Delta Obscura operations and strategic direction
• Moderator: Enforces community standards and resolves conflicts
• Mentor: Provides 1v1 technical training to apprentices

Other Roles

• Partner: External collaborator or allied organization
• Retired: Former member, contributor, or lead researcher no longer active
• Outreach: Engages with other teams, events, or companies to establish partnerships

Contributor Levels 1-3

Each contributor level represents a mission you've completed or contributed to. Contribute to 3 missions to qualify for Lead Researcher evaluation.

Becoming a Lead Researcher

This is our highest technical role. It's not just about finding vulnerabilities, it's about proving you can lead, teach, and operate independently in the cybersecurity world.

Requirements:

1. Mission Contributions: Contribute to 3 distinct missions or make 3 contributions to a single mission
2. Pedagogy: Mentor at least 10 people in cybersecurity (bug bounties, certifications, vulnerability research)
3. Innovation & Leadership (choose one):
   • Identify and resolve a flaw or inefficiency in our processes
   • Launch an independent cybersecurity mission with realistic scope
   • Establish partnerships by connecting Delta Obscura with other cybersecurity teams or companies
4. Personal Brand: Create your own website or professional brand
5. Demonstrated Independence: Prove you can operate autonomously by leading your own company, team, or cybersecurity initiative

This role requires reaching Contributor Level 3 and mentoring at least 10 people who publicly credit your guidance.

Why requirement #3 matters: We don't want obedient Lead Researchers who blindly follow authority. We need individuals who identify broken systems, challenge inefficiencies, and drive innovation. A Lead Researcher must embody the energy that questions fearlessly and leads without seeking permission.

We need resilient hackers who can handle the intense pressure of real cyber operations. Lead Researchers must take full ownership of initiatives and see them through to completion, even without external support.

Success Story in Progress

Hamy is our closest example:

• Mentored 5 vulnerability researchers (3 publicly credited his guidance)
• Started and contributed over 70% of Mission Cyber Sentinel's workload
• Contributed to 3 distinct missions
• Established partnerships with external cybersecurity teams
• Built his own personal brand
• Demonstrated independence and autonomous operations

He's not there yet, but he's the closest.