Ethics & Code of Conduct

Doing The Right Thing

Our Ethics

Staying within ethical boundaries is a top concern of the Social Engineering Community (SEC). As such, we have created a Code of Ethics, which anyone who participates in our activities, including making live calls or deploying AI-driven calls, must agree to. Additionally, we ask that all staff and volunteers agree to the Code of Ethics as well.

SEC Code of Ethics

Ethics is a core component of the information security industry and especially when dealing with Social Engineering. Our goal of this section is to define the SEC’s ethics so that contestants can compete in our Contests in a way that is acceptable throughout our industry to the contestant, the recipient of the call, and the target company.

Our ethics were written to provide an understanding that the competitions are designed to meet three primary objectives. We believe the ethics below best balance is an acceptable and approachable method to conduct these competitions to prevent harm to any party.

  1. Showcase live Social Engineering techniques, whether human-driven or AI-driven, from a variety of participants that gather non-sensitive but important information.
  2. Demonstrate the effectiveness of these techniques so that audience members can see in real-time how they work.
  3. Identify and celebrate individuals and the companies which employ proper security awareness practices which prevent the Social Engineering techniques from working.

Should a competitor have questions about whether something meets or does not meet our ethics above, they may submit the question before the event and on-site before their call. Contestants should not make or deploy calls using pretexts or other dialogs that they are unsure of meets the ethics below.

If, during a call, the judges or SEC staff determine that a participant’s pretext or dialog is unethical, they may intervene as they see fit, including terminating the call and disqualifying the participant from any event on the spot.

Finally, the Social Engineering Community reserves the right to update or otherwise change these ethics without notice.

Any individual participating in a live call at a SEC event at DEF CON must agree to and abide by these ethics.

Participants will only call employees from the company provided.

  • Calls must be made only to employees of the assigned organization. Participants will refrain from calling family or friends of an employee, contractors, or vendors for the organization.
  • Any direct dial number must have verifiable evidence that it is a corporate-owned phone number and not a personal cell phone.

Participants will refrain from using pretexts or narratives which utilize fear.

  • All pretexts should never make the receiver of the call fearful or feel threatened. For example, these would be any pretexts that use explicit or implicit repercussions for not complying with requests or following instructions.

 Participants will always maintain professional during the call.

  • The call’s content should remain professional and appropriate for all ages. Participants guarantee vulgar language, or otherwise offensive content will not be used.

Participants will not impersonate an external authority figure.

  • Pretexts must not explicitly or implicitly imply that the participant holds an external position of authority. Disallowed impersonation includes but is not limited to roles such as police, lawyers, doctors, city officials, etc.

Participants will refrain from collecting sensitive information such as personally identifiable information (PII), credentials, etc.

  • At no time should participants request explicitly or implicitly sensitive information. If the call recipient attempts to provide information that may be possibly sensitive, the participant must immediately attempt to stop the receiver from further divulging.
  • During any OSINT conducted, participants will not seek or collect sensitive information. The focus must remain on gathering non-sensitive information relevant to the competition objectives.

Participants will not train any AI agent on a real person’s voice or clone a voice without their written prior consent.

  • For contests involving AI, participants must ensure that any voice data used to train their AI agents is either synthetic or obtained with explicit written permission from the individual whose voice is used.

Participants understand that they are responsible for the tools they choose to use in the competition.

  • Participants acknowledge that their team will utilize tools of their own choosing and must review and accept the terms and conditions of those tools, assuming any associated risks.

Participants will focus on the company and the individual from their position as an employee, not as a personal individual.

  • While interacting with an individual, the focus of pretexts must be to elicit information about the company via their role with the company, not personal information about the individual. Small talk is acceptable, but participants must refrain from focusing heavily on the personal life and/or traits of the individual.

Participants will only keep the information discovered for as long as needed.

  • After the event, participants are not expected or otherwise required to maintain or keep the information or other documentation about the interaction, including reports and notes from any OSINT conducted.

Participants will refrain from using the information discovered for any competition in any other way.

  • Participants are expected to ensure the information discovered is used solely for the competition only and will not be sold, shared, or otherwise disseminated to any other party or used for other purposes.

Participants will speak about the results of their call(s) in a positive way that focuses on aspects that can be controlled and do not shame either the company or individual.

  • This guideline is not intended to limit freedom of speech. However, we believe it is in the best interest of the Social Engineering Community, targets, and individuals to present narratives of the event that focus on both strengths and weaknesses without incorporating shame.
  • As an example, rather than saying “So’n’So was stupid for thinking I was actually a department manager and really screwed Acme Co. for giving me all that information over the phone.” Consider framing the situation like this “My pretext leveraged implied trust when pretending to be a manager, resulting in the receiver complying with my request without question. The organization should consider implementing a policy to pass information via another method such as emails or have a method of verification to confirm employees.”

Participants will not cheat in the competition.

  • OSINT, pretexts, and target phone numbers will be proactively investigated for signs of cheating, including the manufacturing of OSINT data or falsifying phone numbers or staging plants. Evidence that corroborates cheating by the participant will result in disqualification.

Participants will follow the spirit of these ethics in all my decisions leading up to, during, and after the call.

  • We wrote these ethics to set guidelines to capture the effects of social engineering against companies while minimizing the impact to all parties as best as possible. These ethics were not designed to enable someone to find loopholes, contradictions, or other inconsistencies to accomplish something the Social Engineering Community staff would construe as unethical. Participants agree to follow these guidelines and at any time may request assistance from the Social Engineering Community staff to determine if something meets our ethical guidelines.

Code of Conduct

SEC abides by and enforces DEF CON’s Code of Conduct (CoC).