Delta Obscura's guidelines

We are Delta Obscura, the team behind Mission Cyber Sentinel, an international cybersecurity mission through which we identified vulnerabilities in widely used open-source software, reported them responsibly, and were credited with CVEs. Through this mission, we indirectly (through vendors) secured over 446,000 digital assets and protected more than 1.2 billion users worldwide.

Currently, we have the following ongoing missions:

1. Mission Vector Zero (MV0)
2. Open Security Coalition (OSC)
3. Delta Knowledge Transfer Program (DKTP)

Read along to see whether Delta Obscura is somewhere you truly belong.

Why Do We Have Cybersecurity Missions?

The core answer is simple: to make individual contributions matter more by connecting them to something larger.

Here's the reasoning broken down:

Vulnerabilities alone are limited in impact. A single CVE or bug bounty report is valuable, but in isolation it's just a finding. It doesn't tell a story, it doesn't build toward a goal, and it's hard to measure its real-world significance.

Missions create objectives and narrative. By wrapping vulnerability research into structured missions, contributors can say something meaningful like "I was part of a mission that protected over a billion users from potential cyberattacks", rather than just "I found a bug." That's a fundamentally different and more powerful claim.

They serve different audiences and skill levels. The three missions map to different people:

• OSC is for beginners and those focused on collaboration and responsible disclosure across 100+ countries
• DKTP is developer and educator-focused, turning real CVEs into CTF labs and shipping that knowledge to events internationally
• Vector Zero is for experienced vulnerability researchers targeting high-impact software with 250,000+ users at CVSS 6.0+ severity

They reframe the incentive model. Instead of chasing CVE IDs or bounties for personal gain alone, members are motivated by collective impact — the idea that even a small contribution becomes part of a documented effort to protect millions of people.

In short, missions exist to give structure, purpose, and scale to what would otherwise be scattered individual work.

What is vulnerability research and why are CVEs important?

Vulnerability researchers are the people who hunt for security flaws in software, hardware, and systems before threat actors find them. They're problem-solvers who think like attackers but work to protect people. Every app on your phone, every website you visit, every smart device in your home — someone needs to find its weaknesses before criminals do.

Why CVEs Matter

CVE stands for Common Vulnerabilities and Exposures. Think of it as the universal language of security bugs — a standardized ID system that lets the entire world coordinate on fixing problems.

When you discover a vulnerability and it gets a CVE number, you've:

• Left your mark on internet history — Your CVE-2025-XXXXX joins a permanent global database
• Protected potentially millions of people — That WordPress bug you found? It powers 43% of the web
• Earned recognition — Security researchers are cited in company acknowledgments, conference talks, and Hall of Fame pages
• Sometimes made serious money — Bug bounties can range from hundreds to hundreds of thousands of dollars

What's in it for you?

1. Work experience
2. Free mentorship
3. Support and training
4. Recognition & value on a global scale
5. Independence and baked-in autonomy
6. Bug bounties from open-source projects
7. Earned respect based on proven competence
8. Access to a network of cybersecurity professionals
9. Ability to become a service provider, teach others & earn money
10. Work with our partners through CTF events, training, threat intel sharing & cyber operations

What's expected of you as a member?

1. Contributing to missions via vulnerability research
2. Outreach & building partnerships between Delta Obscura & events or teams in your region
3. Building your own brand, portfolio & becoming independent of Delta Obscura

We have an entire structure for that — we didn't just wake up one day and dream this up. This was done previously and the people who did it decided to turn it into a replicable blueprint for everyone.

Delta Obscura operates on one single rule: competence is the highest currency. We are a meritocracy, where skill and contribution outweigh tenure, credentials, or age.

If you are talented, even at 14, and capable of protecting digital infrastructure from cyber-attacks, your value here is recognized above someone with decades of experience but little real-world impact.

Our entire framework rewards three foundational virtues:

1. Competence
2. Excellence
3. Pedagogy

How We Prepare You for Independence

In a typical org, imagine you have 10 CVEs and you mentored 7 students under the banner of "the team" or "the family." Then suddenly you have a disagreement with the people in charge and you leave, whether on good or bad terms. Most companies who call you family will interpret any kind of disagreement as betrayal. At this point, if you had relied on tenure or friendships for references, you would be forever dependent on the goodwill of the people you parted ways with. This is not a comfortable position to be in.

But if your achievements are your own, and they are documented by you, then nobody can take them from you. Not us, not anyone else, because they will be public, perhaps on your own website. This is a much better structure than ones relying on tenure and goodwill, because relationships can be messy and we don't like messy. That's why we prepare you for independence.

This is something we actively encourage. We do create accounts for our members on our website, but we always encourage them to have their own brand, their own portfolio. Delta Obscura shouldn't be the only achievement in your life. It's just a team that elevates you. Your achievements must stand on their own without our blessing, and that's something we want to prepare you for: complete independence.

We Are Not a Family. We Are a Team of Professionals.

Delta Obscura is not a family. The sentence "we are a family" is a manipulative sentence often used to trigger emotions in people by taking a moral stance. It's a way to try to trick/convince you to give a greater degree of devotion to the company than they're willing to give you. The idea is that a person is willing to give an awful lot to their family without looking for any reciprocal exchange.

We are not a family, we are a professional network of vulnerability researchers, we work together on cybersecurity missions that have real-world impact on businesses and human lives. We work together even though we have completely different values, beliefs, nationalities and cultures. We don't do it because we are a "family", we do it because we are professionals united by common goals.

You give your valuable time to contribute to cybersecurity missions and in exchange we ensure you are treated fairly for your contributions, that you are contributions are remembered, not forgotten or destroyed the moment you leave "the family" or have a disagreement with an old member of "the family".

We don't shy away from unconventional minds or strong personalities. DEFCON was built on unconventional minds, and so was Unit 8200. Talent doesn't come polished or politically correct.

If you identify with any of the following, you'll likely find your tribe here:

1. Experienced CVE hunters
2. People looking to get their first CVE
3. People who already have CVEs but want higher impact ones
4. Seasoned veterans who collaborators with other vulnerability types
5. People who want to share knowledge and teach others

We want mavericks, not yes-men. People who think for themselves and aren't afraid to challenge assumptions. What unites us isn't conformity or unspoken hierarchies. It's competence. You either have it or you don't.

In Delta Obscura, the most competent individuals naturally rise to the top.

This means a member can outperform the founders. Our structure is designed to elevate elite performers and reward those who demonstrate exceptional skill and the ability to teach others.

This isn't just talk. Delta Obscura was founded by Hamy and Daeda1us. Today our top vulnerability researcher is Alasdair Gorniak, a member who isn't a founder or a lead. He got there because his CVEs affect the most people and digital assets.

Merit isn't determined by how long you've been here or who you know. It's determined by what you can do and what you contribute. A talented newcomer with a critical zero-day discovery carries more weight than a veteran coasting on past achievements. This isn't personal, it's practical. In cybersecurity, relevance is earned daily, not granted permanently.

Delta Obscura operates under Cyber Mounties (Canada) and therefore complies with Canadian law, including sanctions regulations.

If you reside in a sanctioned country, you will not be able to access:

• Our infrastructure (cloud services, GitHub)
• Official organization emails (@cyberm.ca)
• Internal tools or delta.cyberm.ca membership

While these restrictions are beyond our control, you may still be able to:

• Join our Discord community
• Contribute to missions and receive credit
• Collaborate on vulnerability research

For example, if you discover a zero-day affecting Canadian infrastructure, we will help you disclose it responsibly, no matter where you are based.

What we do, how to handle vulnerabilities with care and how to remain within law. Here are some rules to help you out:

1. Do not share details of vulnerabilities you find with anyone else, unless you really know the other side follows the same ethical principles as you
2. Do not disclose vulnerabilities 90 days before reporting them to vendors or CVE Numbering Authority (CNA)
3. Always obtain proper authorization before testing any system; only investigate assets you own or have explicit written permission to assess
4. Keep your testing methods minimally invasive, avoid actions that could disrupt services, damage data, or impact real users
5. Communicate responsibly and clearly with vendors, including providing reproducible but non-harmful proof-of-concept details when needed for remediation
6. Respect privacy at all times, never access, modify, or store unrelated personal or sensitive data encountered during research

Retirement only applies to members & contributors not lead researchers, if you don't produce new output every 90 days, you will be retired.

No one stays a member forever. Priorities shift, life evolves, and we may eventually part ways, which is why we have a retirement plan designed to preserve all of your achievements while allowing you to move forward gracefully.

We may suggest retirement to members who are no longer able to contribute meaningfully. This isn't punitive, it's just pragmatism. Retirement creates space for new talent and ensures the community remains dynamic and productive. It's evolution, not elimination.

Even the founders and administrators are not immune to this process. Retirement is inevitable for everyone, which is precisely why we invest in creating the next generation of cybersecurity leaders, so the mission continues beyond any individual.

Your contributions are yours to keep, regardless of your status within Delta Obscura. We honor what you've built, even if our paths diverge.