~ July 2016 ~

Open Source Security Bug Hunt!


The S0P is a Dutch community program for everyone with interest in software security.

From enthusiastic beginners to the 1337est hackers out there.

So Students, Learners, Coders, Hackers, Breakers and... BBQ Kings, join us!

One team, One month, One target.

Meet. Fun. Hack. Learn. Pwn!

Big thanks to all pwners and the WP community!

Yorick Koster, Han Sahin, Sipke Mellema, Radjnies Bhansingh, David Vaartjes,
Niels Croese, Jurgen Kloosterman, Axel Koolhaas, Spyros Gasteratos, Burak Kelebek,
Peter Ganzevles, Spyros Tzavaras, Job Diesveld, Antonis Manaras, Nelson Berg,
Jarrod Nouichi, Remco Vermeulen, Bente Schopman, Jos van Nijnatten, Philip Peleus,
Trung Nguyen, Sai Shanthan Palvai, Wesley Gahr, Erwin Kievith, Dennis Kerdijk,
Amin Nadif, Marcel Vermeulen, Youri van der Zwart, Ed van der Vlies, Thijs Houtenbos,
René Slikker, Olaf Bontes, Bart Admiraal, Isatou Cham, Giorgio Kempes,
Ravi Harnam, Julien Rentrop, Edwin Molenaar, Cordny Nederkoorn, Jan van Ommeren,
Mark Kazemier, Simon Groenewolt, Anne Jan Brouwer, Maximiliaan Frederik Job Vasterd,
Triet banh, Ivar Reukers, Aksu Umit, Gianni Rodari, Joost van 't Zand, Simon Saffioti
Daniele Linguaglossa, Pieter Vlasblom..

and many more...

Summer of Pwnage target #2016 was


Most likely Yes. Summer '17 or maybe even this winter! A new target! Follow us on Twitter or subscribe to the newletter for more info.

We've got various request from WP Plugin owners to enage a commercial security review on their plugin(s).

Please send an e-mail to wp@securify.nl with a link to you plugin so we can provide you with a quote. On avarage a full review / pentest will cost around 1-2K€ on avarage, depending on the size and complexity of the plugin. You will receive a detailed report with findings, reproduction steps and actionable recommendations. Everything you need to start fixing right away.

Event Info

July 1st a kick-off will be held @Securify (Naritaweg 106-c Amsterdam) to explain the concept & targets. Every Friday there will be a meet-up to discuss findings and help out with any potential issues. You decide how much time you want to spend, when you want to spend it and whether you want to participate in any of the meetings. Do you want to spend a day, a week or the full month? It’s up to you!

The meet-ups are the ideal opportunities to share your ideas and findings with other participants, demonstrate your skills and exploits, help others and meet likeminded people. And of course we will make the setting ideal for the maximum amount of Pwnage by providing thirsty hackers with club-mate, cola and beer. For the hungry participants we’ll have pizzas, and, if the weather is nice, some BBQ to top it off.

The Summer of Pwnage will be running every Friday or Saturday of July. Each week there will be a meet-up to discuss findings, work together and to have fun!

We have scheduled the following meetings. If you want to contribute with a talk, let us know!

  • Fri July 1: Pwn Off

    11.00 - 17.00: Bug hunting!

    11.00: The Pwn off. Explain concept & targets, Pwn responsibly. By Yorick Koster.

    13.00: Hypertext Prepwner. A beginner's guide to pwning PHP. By Sipke Mellema

    15.00: Pwning the Bank. OWASP top 10 workshop. By David Vaartjes

    17.00: Food & beverages.

  • Sat July 9: Hands-on Pwn

    11.00-17.00 - Bug hunting!

    11.00: Pwn with Burp. A workshop on the Pwners Swiss army knife. By Han Sahin.

    13.00: Pwning games. Cheaters, hookers and endbosses. By Radjnies

    15.00: Pwn of the Week. Demonstrate your 1337357 Pwns.

    17.00: Food & beverages.

  • Fri July 15: Hardening & Intermediate PHPwnage

    11.00-17.00: Bug hunting!

    11.00: Hardening WordPress. A guide to stop or recover from a Pwn. By Antonis Manaras.

    13.00: Intermediate PHPwnage. Null bytes, timing and equality. By Sipke Mellema

    15.00: Pwn of the Week. Demonstrate your 1337357 Pwns.

    17.00: Food & beverages.

  • Sat July 23: Automating the Pwn

    11.00-17.00: Bug hunting!

    11.00: Pwning with Metasploit. Creating Metasploit modules based on participants' findings. By Yorick Koster.

    13.00: Pwn automation. Integrating OWASP ZAP in your build pipeline. By Burak Kelebek.

    15.00: Pwn of the Week. Demonstrate your 1337357 Pwns.

    17.00: Food & beverages.

  • Fri July 29: Rate my Pwn

    11.00-15.00: Bug hunting!

    15.00: Beverages.

    15.00: Rate all pwns to compete for prizes.

    16.00: Food.

Of course you can! Summer of Pwnage is for everyone with an interest in software security, regardless of your expertise on the subject. So anyone from enthusiastic beginners to the 1337est hackers can join. Are you curious about the type of work involved and you just want to find out if it is something for you? Sign up! We are here to get you on track.

We will be working on source code a lot. So it helps if code isn't ciphertext to you ;-) So if you ever did some coding or code reviews (for fun or profit), and software security has your interest, the S0P needs you!

The event has a strong focus on sharing knowledge and teaching others, and with all the security experts joining there is more than enough knowledge to go around! Our security specialists have found security holes in products made by Microsoft, Apple, Cisco, Citrix, Amazon, Adobe, EMC, Oracle, Synology and more, making this an excellent opportunity to learn from and work with the very best. Check out some recent work here!

Summer of Pwnage is a community project and its goal is to contribute to the security of popular, widely used open-source software projects in a fun and educational way. So everyone wins! We are not here to make the rules, and as a result everyone will be the rightful owner of his own bugs and exploits, so you can use them as you like. We do, however, strongly support being part of the solution and responsibly disclosing them to the authors of the original code, something we will be helping you with if need be.

During the closing meet-up (end of July) we will present and rate all findings together! The top 10 coolest findings will be rewarded with the Summer of Pwnage sunglasses and t-shirt. But there is more! The coolest, most briljant and l33t3st Pwn of all will be rewarded with a

Summer of Pwnage Macbook Pro!

During this event we will be researching and exploiting the WordPress CMS and a number of its plugins. This is a free open-source PHP based CMS. WP has a gazillion Lines Of Code and thousands of plugins. A bug hunters paradise! We will provide VMs, so you can start hunting right away. More info at wordpress.org.

To compete for the prizes we'd like you to send your Pwn to us. If you like we can report your find to the vendor. In order to submit your Pwn, please fill in the following form: pwn form.txt (example).

Submit the form to sumofpwn@securify.nl. Submissions can be encrypted with PGP or S/MIME.

Any more questions about the Summer of Pwnage? Drop us a line at sumofpwn@securify.nl.

The Summer of Pwnage is hosted at Securify (Beta Building offices). A 10 min. walk from trainstation Amsterdam Sloterdijk.

Find more info on location and directions on the site of Beta Building.

There is limited parking space for visitors next to the door, but enough free parkingslots on 5 min. walking distances away.


Naritaweg 106C
1043 CA Amsterdam


Tel: +31 (0)20 820 45 16
Mail: info@securify.nl
KVK: 58043624