Information
This assignment requires a bespoke approach for timely, fair and consistent marking due to the very large amount of fine-grained individually-weighted responses and large classes.
- There are numerous multiple correct tag combinations to describe and mitigate vulnerabilities. You won't lose marks where there is ambiguity.
- Do not worry about the best combination of tags to describe something. It's not marked by finding the exact correct combination of tags (there isn't one).
- There are many, many different correct solutions that can get 100%.
- Marks are awarded for certain combinations/pairs/groups of tags in an overlapping non-linear way.
- You should add all relevant tags to enrich your responses. Exploits should maximise the severity of the threat vectors, and mitigations should completely remove the threat and minimise the attack surface.
- However, marks can be deducted for having too many tags or for specific incorrect tag combinations—basically don't try and guess things you haven't found in the VM.
- Where possible, try to avoid the catch-all "Insecure" descriptor and use something more specific instead (although it is unavoidable in several cases).
- An optimised distance matrix and clustering strategy is used to detect collusion. Discrepancy in these cases can be severely penalised if identified.
- Marking is not fully automated, responses will be checked manually.
- There is no local storage or server backend with this; to save your progress click download, and to resume you can load the submission to resume.
- Don't try to hack this system, e.g. to allow more rows. Manually editing the downloaded file could result in a parsing error and you getting zero marks.
- Colours do nothing and do not impact the marking; they can be optionally used to help organise your findings.
If you have any feedback, suggestions or spot any bugs, please let me know via email or drop into my office hour.