We extended the submission deadline to April 18, 2010

Month of PHP Security 2010 – CALL FOR PAPERS

Three years ago, in March 2007, the Hardened-PHP project had organized the Month of PHP Bugs. During one month more than 40 vulnerabilities in the PHP interpreter were disclosed in order to improve the overall security of PHP. Now, three years later, SektionEins GmbH will continue in the same spirit and organize the Month of PHP Security.

The intention of the Month of PHP Security is to gather the best research and articles about PHP security topics from the security community and share them with the rest of the world. This time the goal is not only to improve the security of PHP itself and applications directly by fixing security bugs, but also to help PHP developers around the world to write better and more secure PHP applications.

The Month of PHP Security will be held in May 2010 by SektionEins GmbH. During the month of May all qualifying entries will be published at day by day.

CFP Committee

The CFP committee for the Month of PHP Security consists of

  1. Johann-Peter Hartmann
  2. Stefan Esser
  3. Ben Fuhrmannek
  4. Fukami

The CFP committee will review all submissions and select the list of articles that will be published on

Accepted Topics/Articles

  • New vulnerability in PHP [1] (not simple safe_mode, open_basedir bypass vulnerabilities)
  • New vulnerability in PHP related software [1] (popular 3rd party PHP extensions/patches)
  • Explain a single topic of PHP application security in detail (such as guidelines on how to store passwords)
  • Explain a complicated vulnerability in/attack against a PHP widespread application [1]
  • Explain a complicated topic of attacking PHP (e.g. explain how to exploit heap overflows in PHP’s heap implementation)
  • Explain how to attack encrypted PHP applications
  • Release of a new open source PHP security tool
  • Other topics related to PHP or PHP application security

[1] Articles about new vulnerabilities should mention possible fixes or mitigations.

Responsible Disclosure

In case of submitted vulnerabilities SektionEins GmbH will contact the security team of the software vendor after the submission deadline and share the vulnerability information with them. Along with the vulnerability information SektionEins will provide the name of the submitting party in order to give proper credits.


At the end of May the CFP committee will review the published material and determine the best entries. Selected winners will get the following prizes.

# Prize
1. 1000 EUR + Syscan Ticket + CodeScan PHP License
2. 750 EUR + Syscan Ticket
3. 500 EUR + Syscan Ticket
4. 250 EUR + Syscan Ticket
5.-6. CodeScan PHP License
7.-16. Amazon Coupon of 65 USD/50 EUR

SektionEins reserves the right to disqualify any submitted entry. While employees of SektionEins can and will submit entries for the Month of PHP Security they are excluded from receiving prizes.

The 1000 EUR cash prize and the Syscan tickets were generously sponsored by Syscan. CodeScan PHP Licenses were sponsored by CodeScan Limited. All other cash and non-cash prizes are sponsored by SektionEins.

The winners of the Syscan tickets can choose one of the four Syscan 2010 conferences to go to. Syscan Tickets include free admission to the conference, speaker’s dinner and speaker party. Hotel and travelcosts are NOT included.

Please note that non-cash prizes cannot be changed into cash prizes.


Submissions should be sent to and consist of the following information:

  1. Name and contact information (e-mail, postal address)
  2. Employer and/or affiliations
  3. Article about one of the allowed topics (at least 1000 words)
  4. Optionally additional material like slides, whitepaper in PDF format

All submissions must be in English. The preferred delivery format is plain text or HTML, but PDF is also accepted. Please pack all the required items (pictures, text, …) in a ZIP archive and submit this ZIP archive by email.

Deadline for submissions is April 11, 2010 April 18, 2010.

Additional Information

After submission SektionEins GmbH will acknowledge submissions with a signed email. If you do not receive such an email within one week after submission, then please contact us at again.

By submitting your article you are granting SektionEins GmbH the rights to reproduce, distribute, advertise and show your article including but not limited to, printed and/or electronic advertisements, and all other media. However you are still allowed to publish your own work in whatever way you want.


We would like to thank Syscan and Coseinc for generously offering 1000 EUR cash prize and four tickets to Syscan. If you are interested in the latest and greatest security research you should really consider visiting one of the four Syscan conferences. You will find further information at

Also we would like to thank CodeScan Limited to offer CodeScan for PHP licenses as a prize. If you are interested in static code analysis for PHP, you might want to check

Additional Drawing

If you help us to spread the word about the Month of PHP Security and the open CFP by writing a blog posting about it, you have the chance to win one of ten 33 USD/25 EUR Amazon Coupons. To participate you have to write a blog posting about the Month of PHP Security CFP and send a link to your blog posting to The winners will be announced on May 1, 2010.

Thank you
Stefan Esser
Month of PHP Security /
SektionEins GmbH /