-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Month of PHP Security 2010 - CALL FOR PAPERS - -------------------------------------------- Three years ago, in March 2007, the Hardened-PHP project had organized the Month of PHP Bugs. During one month more than 40 vulnerabilities in the PHP interpreter were disclosed in order to improve the overall security of PHP. Now, three years later, SektionEins GmbH will continue in the same spirit and organize the Month of PHP Security. The intention of the Month of PHP Security is to gather the best research and articles about PHP security topics from the security community and share them with the rest of the world. This time the goal is not only to improve the security of PHP itself and applications directly by fixing security bugs, but also to help PHP developers around the world to write better and more secure PHP applications. The Month of PHP Security will be held in May 2010 by SektionEins GmbH. During the month of May all qualifying entries will be published at http://php-security.org day by day. CFP Committee - ------------- The CFP committee for the Month of PHP Security consists of 1) Johann-Peter Hartmann 2) Stefan Esser 3) Fukami 4) Ben Fuhrmannek The CFP committee will review all submissions and select the list of articles that will be published on http://php-security.org Accepted Topics/Articles - ------------------------ * New vulnerability in PHP [1] (not simple safe_mode, open_basedir bypass vulnerabilities) * New vulnerability in PHP related software [1] (popular 3rd party PHP extensions/patches) * Explain a single topic of PHP application security in detail (such as guidelines on how to store passwords) * Explain a complicated vulnerability in/attack against a PHP widespread application [1] * Explain a complicated topic of attacking PHP (e.g. explain how to exploit heap overflows in PHP's heap implementation) * Explain how to attack encrypted PHP applications * Release of a new open source PHP security tool * Other topics related to PHP or PHP application security [1] Articles about new vulnerabilities should mention possible fixes or mitigations. Responsible Disclosure - ---------------------- In case of submitted vulnerabilities SektionEins GmbH will contact the security team of the software vendor after the submission deadline and share the vulnerability information with them. Along with the vulnerability information SektionEins will provide the name of the submitting party in order to give proper credits. Prizes - ------ At the end of May the CFP committee will review the published material and determine the best entries. Selected winners will get the following prizes. 1. 1000 EUR + Syscan Ticket + CodeScan PHP License 2. 750 EUR + Syscan Ticket 3. 500 EUR + Syscan Ticket 4. 250 EUR + Syscan Ticket 5.-6. CodeScan PHP License 7.-16. Amazon Coupon of 65 USD/50 EUR SektionEins reserves the right to disqualify any submitted entry. While employees of SektionEins can and will submit entries for the Month of PHP Security they are excluded from receiving prizes. The 1000 EUR cash prize and the Syscan tickets were generously sponsored by Syscan. CodeScan PHP Licenses were sponsored by CodeScan Limited. All other cash and non-cash prizes are sponsored by SektionEins. The winners of the Syscan tickets can choose one of the four Syscan 2010 conferences to go to. Syscan Tickets include free admission to the conference, speaker's dinner and speaker party. Hotel and travelcosts are NOT included. Please note that non-cash prizes cannot be changed into cash prizes. Submission - ---------- Submissions should be sent to cfp@php-security.org and consist of the following information: 1) Name and contact information (e-mail, postal address) 2) Employer and/or affiliations 3) Article about one of the allowed topics (at least 1000 words) 4) Optionally additional material like slides, whitepaper in PDF format All submissions must be in English. The preferred delivery format is plain text or HTML, but PDF is also accepted. Please pack all the required items (pictures, text, ...) in a ZIP archive and submit this ZIP archive by email. Deadline for submissions is April 11, 2010. Additional Information - ---------------------- After submission SektionEins GmbH will acknowledge submissions with a signed email. If you do not receive such an email within one week after submission, then please contact us at cfp@php-security.org again. By submitting your article you are granting SektionEins GmbH the rights to reproduce, distribute, advertise and show your article including but not limited to http://php-security.org, printed and/or electronic advertisements, and all other media. However you are still allowed to publish your own work in whatever way you want. Thanks - ------ We would like to thank Syscan and Coseinc for generously offering 1000 EUR cash prize and four tickets to Syscan. If you are interested in the latest and greatest security research you should really consider visiting one of the four Syscan conferences. You will find furhter information at http://www.syscan.org/ Also we would like to thank CodeScan Limited to offer CodeScan for PHP licenses as a prize. If you are interested in static code analysis for PHP, you might want to check http://www.codescan.com/. Additional Drawing - ------------------ If you help us to spread the word about the Month of PHP Security and the open CFP by writing a blog posting about it, you have the chance to win one of ten 33 USD/25 EUR Amazon Coupons. To participate you have to write a blog posting about the Month of PHP Security CFP and send a link to your blog posting to drawing@php-security.org The winners will be announced on May 1, 2010. - -- Thank you Stefan Esser Organiser Month of PHP Security / php-security.org SektionEins GmbH / www.sektioneins.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuJDI0ACgkQSuF5XhWr2nhrMACfQIsISclmabFJ0FvK07Cy4hZ0 0QgAnjxiQjmKTIAlEXP55BHm2W1S343Q =uu/v -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/