Back to blog
4 min read
My Time at CTFd: Learning from a One-Man Operation

The Platform

If you’ve competed in a capture-the-flag competition in the last decade, you’ve probably used CTFd. Started by Kevin Chung back in 2015 at NYU’s ISIS Lab, it’s grown into the go-to framework for running CTFs. The numbers speak for themselves: over 6,400 stars on GitHub, 2,500+ forks, and 144 contributors over 67 releases.

CTFd powers competitions at every scale—from university clubs to CSAW, one of the largest student-run cybersecurity events in the world, which brings together over 3,000 participants annually across five global academic centers. When picoCTF deprecated their own platform, they recommended CTFd as the modern alternative. That’s the kind of reputation Kevin built.

Working with Kevin

Here’s the thing about Kevin: he didn’t really need help. The man had been solo-maintaining CTFd for nearly a decade while shipping security patches, major features, and keeping the hosted platform running. In February 2024 alone, he shipped CTFd 3.7.0 with scoring brackets, social sharing, and migrated the entire frontend build system from webpack to Vite. By himself.

I came in initially with more responsibility, but I quickly realized I was working with someone who had already figured out most of the problems I thought I’d be solving. Kevin’s the type of developer who publishes blog posts about sanitizing malicious HTML in content editors while simultaneously reverse engineering RFID systems and fixing PlayStation 1 modchips. The breadth was intimidating.

So I got converted to an intern. Not because I wasn’t capable, but because there genuinely wasn’t enough work that Kevin couldn’t handle faster himself. It was a humbling experience, but also incredibly educational.

What I Did

My role shifted to support and maintenance work:

  • Customer Support: Handled tickets through Linear, responded to deployment questions, and troubleshot issues for competition organizers
  • Security Testing: When CVE-worthy vulnerabilities popped up—like the October 2024 DoS issue or the December 2024 bracket manipulation bug—I helped verify fixes and test edge cases
  • Competition Setup: Assisted with internal CTF testing to make sure challenges worked correctly before they went live
  • PR Reviews: Contributed smaller fixes and improvements across the Python/Flask backend and JavaScript frontend

The Technical Stack

CTFd is primarily Python (57.8%) with Flask on the backend, plus JavaScript (20.3%) and Vue on the frontend. The codebase has evolved over 10 years, so there’s a mix of legacy patterns and modern tooling. Working with it was a crash course in maintaining production software that thousands of organizations depend on.

The January 2025 pricing update was the first in over seven years—that’s how stable and well-architected this thing is. Kevin built something that basically runs itself.

What I Learned

The biggest lesson wasn’t technical. It was understanding that some developers are just operating at a different level, and the best thing you can do is learn from them rather than try to prove yourself. Kevin’s efficiency comes from years of deep domain expertise and knowing exactly what matters in the CTF space.

I’m grateful for the experience, even if it wasn’t what I originally expected. Sometimes the best education is watching someone who’s mastered their craft.

I interned at CTFd from December 2024 to August 2025. I’m currently pursuing my BS in Internet Technology at UCF and working as a Full Cycle Developer at Crest Advisory Group.