Month of PHP Security 2010

Three years ago, the Hardened-PHP project (also known for the Suhosin security patch) organized the Month of PHP bugs. During March 2007 more than 40 vulnerabilities in the PHP core and in popular extensions were revealed, and the majority of them fixed in the subsequent releases of PHP. A similar initiative has been started today, when a call for papers for the Month of PHP Security has been issued by a SektionEins committee including Stefan Esser, one of the founders of Hardened-PHP. The goal of the month-long series of articles will be not only improving the security of PHP-related software by fixing possible attack vectors, but also help PHP programmers write more secure applications by exposing them to a public crash course on PHP security, with the best available material. From this point of view, the focus of the initiative is larger and more interesting to the general public than the original Month of PHP Bugs. The best articles which will have been selected before the April 11 deadline will be published during May 2010, day by day, at the official site. The accepted topics are:

• unpublished vulnerabilities of PHP and its extensions, plus possible attacks and exploits;
• vulnerabilities and attacks against popular PHP applications
• releases of new PHP security tools
• best practices on PHP application security and related material

The papers about possible attacks should follow the mechanism of responsible disclosure. The time period between the call for papers and the divulgation allows the team that backs the affected software to prepare a fix before the vulnerability, along with the related exploiting code, is made known to the public. There are prizes available for the best-received published entries. The prizes range from free tickets for one of the SyScan 2010 conferences to cash prizes up to € 1,000.