Lots of CTF organizers are security researchers. This particular CTF is organized by people from Chaitin Tech, which is a cybersecurity company. They emphasize that their challenges are based on real vulnerabilities (found in their research, I presume).
Do the organizers know about the security vulnerability?
Where do they get the vulnerabilities from?