A few months ago Tim Morgan emailed the Portland OWASP chapter and suggested that we organize a meeting where everyone could get together and audit some existing software. When vulnerabilities were found we would follow the responsible disclosure life cycle and notify the maintainers before publicly disclosing. It would be a fun way to spend an afternoon, people would get experience with responsible hacking, and the software maintainers would have the opportunity improve their software. The idea gained traction and FLOSSHack One was born.
I coordinated with Ushahidi, an open source mapping application, to be the subject of the audit. They were very helpful, even participating during our meeting and answering questions about how their application was built. We had about ten people show up on a Sunday afternoon and everyone got to work in a supportive environment for penetration testing. By working with the developers we were able to cover a lot of the code and came up with several vulnerabilities to report which will be announced on security.ushahidi.com as appropriate.
Thanks to Tim for organizing the FLOSSHack, Ushahidi for supporting us on their end, and thanks to everyone who participated. If you’re interested in doing your own, Tim wrote this generic wiki page which should help.