FLOSSHack for Participants

FLOSSHack for Participants
FLOSSHack events are a prefect event for those looking for an hands-on way to learn more about application security. Participants are encouraged to learn as much as they can about various common classes of vulnerabilities and then immediately apply that knowledge by auditing a real-world software system in a friendly hacking competition. A typical FLOSSHack event would work as follows:


 * 1) An event organizer selects an appropriate open source software application for testing.  Participants are notified at least one week in advance of the event date as to what the application is.
 * 2) Eager participants get familiar with the target software and begin auditing the application on their own.
 * 3) FLOSSHack workshop begins.  Participants may join in person or remotely.  Workshop sessions may last anywhere from 2 to 4 hours.
 * 4) At the beginning of the workshop, security experts may cover one or more common vulnerability classes or security topics that may be relevant to the application.  This is designed to help participants learn how to find types of vulnerabilities they aren't as familiar.
 * 5) Participants share any vulnerabilities found prior to the work shop.  Participants briefly describe their bugs and how they could be exploited.  Open discussion is encouraged.
 * 6) Hacking begins.  A pre-installed version of the application may be provided in some way, possibly on a VM or remotely.  In this way vulnerabilities can be tested in addition to having code reviewed for flaws.
 * 7) Occasionally, when participants spot new vulnerabilities they should announce it and describe the bug to others.  The resulting discussion may spark new ideas for finding additional flaws.  (If things are "slow" in this area, the FLOSSHack organizer may stop everyone once in a while to cover some security topic that may help in further bug finding.)
 * 8) Conclude the workshop session with, hopefully, a pile of security bugs.  Organizers may provide prizes for performances, such as most vulnerabilities found, or the "best" vulnerability found (as decided by participant vote).
 * 9) Security flaws are compiled and sent off to application maintainers in a manner consistent with responsible disclosure.  FLOSSHack organizers help facilitate this communication, but participants are given full credit for their finds (if they wish) once the issues are released publicly.