February 14 - March 14, 2023
The Big Fix
Join us for a month-long fix-a-thon, where you’ll win prizes for fixing vulnerabilities in open (and closed) source software while making a positive impact. The Big Fix brings developers together to build a more secure software ecosystem to benefit us all while having fun and learning about security.
Show your software some love
Secure software is happy software – help us fix over 200,000 vulnerabilities this month! Follow the steps below to begin securing your open and closed source projects while earning swag, learning about security, and building a more secure software ecosystem for us all.
1. Scan your projects
Connect The Big Fix app to your projects and use Snyk to scan for vulnerabilities.
2. Fix vulns with Snyk
Fix at least one security vulnerability and we’ll send you a limited edition Big Fix t-shirt.
3. Connect with community
Join the DevSecOps Discord to get support and fix security vulnerabilities with new friends.
4. Share your success
Tweet your progress using #TheBigFix, and mention or follow @snyksec to join our prize raffles.
5. Join the livestream
Come to our Feb 28 fix-a-thon live stream where you’ll learn about security and meet world-renown developer security experts.
6. Compete and win prizes
Track your fixing progress on the anonymized leaderboard and compete for the top spot and additional prizes!
Sign up and start fixing
The Big Fix is happening Feb 14 through March 14, 2023, with a live event on Feb 28 at 12:00 am GMT through March 1st 12:00 am GMT. Sign up to join.
Already registered? Access the leaderboard.
Fix vulnerabilities. Get swag and prizes!
Every participant that imports a project and fixes at least one vulnerability gets a limited edition t-shirt. Other prizes include:
Open source sponsorship gift cards
A limited edition Big Fix coin
A VR headset (1st place)
A wireless speaker (2nd place)
An Arduino starter kit (3rd place)
Disclose new vulnerabilities responsibly
Whether you’re a security researcher or a developer that just wants to make sure their libraries are safe, Snyk can help you uncover brand new vulnerabilities in your open and closed source projects. If you do find a new vuln, be sure to follow responsible disclosure guidelines. Read the FAQ below to learn how the Snyk Security Research team can help.
Mon, 27 Feb 2023 AT 07 PM
Livestream schedule
We have a day filled with fun segments and amazing speakers that will help you on your fixing journey. Below are all the segments and their times.
Good morning APJ7 pm - 3 am
Hello EMEA3 am - 11 am
Howdy AMER11 am - 7 pm
07:00 PM
Welcome to the Big Fix
Hosted by Vandana Verma Sehgal
07:30 PM
Security with Nicole Becher
Nicole Becher
08:00 PM
Learnings from Code Vigilant
Anant Shrivastava
08:45 PM
Full-stack software engineer and CTO at DivX
Yuya Tajima
09:30 PM
Secure Code Review for Hackers
Kayla Underkoffler
10:15 PM
Vulnerability Reporting and Re-validation
Aditya Shende
11:30 PM
ServiceNow Security with Karl
Karl Klassig
12:00 AM
Security with Soumen
Soumen
12:30 AM
Shift Left Isn’t What You Expected
Chen Gour Arie, Enso
01:00 AM
Security with Sanjeev Jaiswal
Sanjeev Jaiswal
01:30 AM
Building Orchestration Pipelines to Ensure Efficiency of Application Security Findings Resolution
Leonid Belkind, Torq
02:00 AM
REST API or GraphQL – Why Not Both?
Amit Lichtenberg, Otterize
02:30 AM
DevSecOps in Cloud
Ashish Rajan
FAQ
You have questions and we have answers. If you don’t find an answer for a question you have you can share it during the live stream for the hosts to help answer. Or email us at thebigfix@snyk.io.
How do I register?
Go to the sign-up form on this page and provide your name and email address.
How do I qualify to receive swag?
Register for The Big Fix event on February 14. This page will be updated with a form. Then create a Snyk account if you don’t already have one, import your project(s) to Snyk where they will be scanned for security issues, and fix at least one of the identified issues.
You can get started fixing security issues immediately to qualify for swag once the event ends, no need to wait! Regardless, we’d love to have you join our Discord community of fixers and our 24-hour livestream on February 28th!
When will raffle winners be announced?
We will be announcing raffle winners at two separate times: during our 24-hour livestream (more info on this below), as well as a few days after the event. We’ll directly message all raffle winners with redemption instructions.
How do I join the live stream and where do I get help?
We’ll be streaming to both Twitch and YouTube so you can tune in and chat with us on whichever platform you prefer. Make sure to set a reminder in your calendar!
Join our community Discord where you’ll be able to chat with other fixers like yourself, as well as seasoned security experts who can help answer your questions and resolve security issues! You can join Discord by clicking the following link: https://discord.gg/NXuz63GmUt
What do I do after joining Discord?
When you enter the community, you’ll need to confirm your email addresses and enable 2FA.
Following that, you’ll need to confirm that you have read the rules and accept the Terms and Conditions before being allowed into our channels.
Once you’ve accepted the Terms and Conditions, head to the “🛠-the-big-fix” channel in the “🐕 Snyk community” category and say hi!.
What if I find a new vulnerability in an open source project?
In this case, we’d like to ask you to avoid directly fixing the vulnerability in said project with a pull request and avoid opening a public issue, as these would put users at risk and the maintainers at stress to rush to the issue. Instead, we’d like to advise you to follow responsible disclosure guidelines and report the vulnerability to Snyk, through which we will help you with contacting the maintainer, triaging the vulnerability, and assigning a CVE to your name.
How do I find projects to add to The Big Fix app?
Take these steps after signing up.
When you authorize your Snyk account, you might be prompted with a request access form that includes a drop-down (showing “Dade Murphy group”) which lists your default Snyk group and the personal organizations attached to it. You may need to select a different group with the projects you want to import to the campaign.
If you need to switch to a different organization there is a drop-down menu in The Big Fix app that allows you to select a new organization and will display the projects associated with it.
How do I convince my boss?
Use this email template to explain the benefits of dedicating time to fixing vulnerabilities and the value of participating in this free event as a team.
Hey Boss,
In light of supply chain security vulnerabilities such as Log4j and Spring4Shell that made headlines last year, I would like my team to dedicate some time this month to fix vulnerabilities in our codebase.
I found a free online event called The Big Fix, where our team can get advice and troubleshooting support from security experts, plus earn rewards for fixing vulnerabilities in our projects. I’d love for our team to join this event for the following reasons:
We want to ensure our developers are educated on proactive security best practices so they can deliver secure code quickly. At this event, we’ll speak with security experts to help our team learn the ropes.
Fixing security issues in applications is important, but oftentimes intimidating. Taking on this responsibility in a fun, global competition allows us to work as a team and learn in a blameless environment.
Security is a massive priority for every development team. The event live stream will introduce our team to specific vulnerability patterns, like Cross Site Scripting, for example. Taking this on as a group activity will allow us to build momentum for prioritizing security in 2023.
The livestream event is on Feb 28, 2023 (a Tuesday), and I think it would be a huge help to our growth as a team to participate. Can we get approval for the team to spend the day learning about, identifying, and fixing security issues in our products as part of The Big Fix event?
Securely,
Your teammate
What is your data retention policy for the campaign and how is it used?
When you register for the event, you will sign-up with your name and email address. We’ll use an automatically generated alias to list you on the leaderboard and your email to send you the registration link. We keep the leaderboard and scoring data separate from your imported projects and other Snyk data. Upon 30 days of the event’s end, all your Snyk user data that we used during the event will be deleted. This is only scoped to applications you specifically authorize during the event. Your projects in Snyk will not be affected. Note that you may opt-in for further communication with Snyk when registering.
How are scores calculated?
An initial “snapshot” of vulnerability counts by severity are captured when you add a project to the big fix app. For example a project named nodejs-goof has 2 critical, 6 high, 15 medium and 38 low severity vulnerabilities and those are what get captured in the “snapshot”.
When you implement fixes for those vulnerabilities in the project AND a Snyk test is performed against the project Snyk will update the vulnerability counts internally. Then the Big Fix app will check in with Snyk periodically to get the current vulnerability counts for your projects and see if there are changes from the initial “snapshot”. For example if you fixed 2 high vulnerabilities in that nodejs-goof project, once a Snyk test is triggered Snyk will update the high severity vulnerability count from 6 to 4. Then the next time the Big Fix app checks in with Snyk it will see you fixed 2 high severity vulnerabilities and award you points
The points you earn for fixes is determined by the severity of the vulnerability you fixed and the big fix app’s scoring engine. The points awarded for each vulnerability severity level are as follows:
Critical: 4 points
High: 3 points
Medium: 2 points
Low: 1 point
Continuing with our example, after fixing 2 high severity vulnerabilities the big fix app will award you with 6 additional points to your current score.
The points awarded are applied to anyone who has imported that project to be used in the big fix app. What that means is if you and a coworker/teammate sign up for the big fix and import the same project then whenever either of you make a fix for that project you both will be awarded the same amount of points. For example a fix completed worth 4 points will be awarded to you and 4 points will be awarded to your coworker/teammate.
If the vulnerability count increases for a project you’ve added to be used as part of the big fix then you will lose points. For example if you imported a project with 3 low severity vulnerabilities and that increases to 5 you will lose points. Your point total will not go below zero regardless of the increase in vulnerability count.
I am getting 403 errors during registration, what should I do?
If project collaborators are seeing 403 errors when trying to register for The Big Fix App with their Snyk account, they either need to have “admin” role access, or a custom role created with the permission “Install Apps” (which you can find in the Snyk Apps Management section) and then assigned to them.
The following steps should be taken to mitigate the 403 issue:
Assign the custom role described above to users of a specific org
Users need to change their preferred org to the org where the role has been assigned
Users should log out of Snyk
Users should follow the registration link in their email
The Big Fix sponsors
We’re excited and proud to collaborate with the following Snyk partners that are equally committed to helping secure open source software and fix security vulnerabilities to make the world’s software safer.