[Owasp-portland] "FLOSSHack" in early April?

Timothy D. Morgan tmorgan-owasp at vsecurity.com
Mon Mar 12 20:55:34 UTC 2012

Hi Everyone,

Thanks to those were able to make it to our meeting last week.  We had
about 10-11 attendees plus our speaker and a couple of his friends, so
it was a solid turn out.

Next on my radar is to flesh out this idea I've been wanting to try out.
 In the interest of having a catchy name, I'm calling it "FLOSSHack"
(for Free/Libre Open Source Software Hacking).  Feel free to suggest a
catchier name.  Here's the gist of it:

1. Gather together folks who are interested in getting down and dirty in
technical details to sharpen their penetration testing and security code
review skills.

2. Select a FLOSS application that people are interested in testing.
Let people work on their own for a week or so before a meeting.

3. Sit down together to discover and discuss as many vulnerabilities as
possible that were found in the application.  Discuss secific
exploitation scenarios and mitigation strategies. Openly share all of
the results of testing within the group (but avoid sharing publicly just

4. Work with the developer of the software to address the issues through
a responsible disclosure process.  Those who discover bugs get full
public credit for the issues they find (if they wish) and experience in
responsible notification and interaction with software maintainers.

I expect there will be a number of details to work out, but I would like
to take a quick poll on a few things.  If you don't mind taking a couple
of minutes to answer these questions (sent back to the list,
preferably), that would be great:

A. Would you be interested in participating in such an event?
   If "no", stop here.

B. What kinds of vulnerabilities are you most interested in learning
   about? (e.g. SQL injection, buffer overflows, XXE, ...)

C. What technologies/development platforms are you most experienced
   with?  What technologies/development platforms are you most
   interested in learning more about?

D. Do you have suggestions for what open source projects you would like
   to perform an audit of?

E. Will a FLOSSHack session on April 10 or 11 work for your schedule?


More information about the Owasp-portland mailing list