FLOSSHack for Software Maintainers

From OWASP
Jump to: navigation, search

FLOSSHack for Software Maintainers

If your software project been selected for a FLOSSHack event, then congratulations! This means that we're interested in breaking your code, in a good way.

FLOSSHack events are designed to accomplish two primary goals:

  • Help those who want to learn more about security auditing of software
  • Improve the security posture of a worthy software project (like yours) at low or no cost

For the event to be the most successful, we encourage close collaboration with software maintainers. While we could operate completely autonomously (relying solely on software and documentation that software maintainers have already published), we think an ideal FLOSSHack event would go something like this:

  1. FLOSSHack "target" software selected
  2. Software maintainers contacted and provide FLOSSHack organizers with:
    1. Their opinion on the best version of software to test against (latest release version vs. source code repository version, etc)
    2. Instructions on the typical deployment/installation configuration (or better yet, provide organizers with a pre-installed virtual machine!)
    3. An overview of the application's authorization model: what roles exist and who should be allowed to do what
    4. Any information on what attack scenarios are most likely against the software
  3. FLOSSHack organizers schedule the workshop event, publish details
  4. About one week before the workshop date, participants begin auditing the software based on details provided by maintainers
  5. On the day of the workshop:
    1. Participants gather face-to-face and remotely for an intensive hack session
    2. Friendly competition on who can find the "most" or "best" bugs is encouraged
    3. Software maintainers are encouraged to send a representative or join remotely. This can be very helpful for participants as questions about the software's intended use cases arise.
    4. At the end of the hack session, awards may be given to the most successful participants, based on number or types of vulnerabilities found. (Software maintainers are welcome to provide small prizes to be given away as awards. Small incentives can go a long way!)
  6. FLOSSHack organizers gather up all of the vulnerabilities and other security-related flaws found by participants and are provided to the software maintainer through a responsible disclosure process:
    1. In most cases, CVE identifiers will be assigned to the vulnerabilities found
    2. After the flaws have been corrected in the source code, software maintainers release patches and/or new versions of the software to help secure their userbase. At that time, the original FLOSSHack participants who found the flaws should be credited with the finding, unless they choose to remain anonymous. A simple credit is all that is necessary, such as "Thanks to Jane Participant for bringing CVE-XXXX-XXXX to our attention."
    3. After all flaws have been corrected, a listing of the flaws found will be posted to the FLOSSHack event page