I fully agree with you that the XSS Contest isn’t that interesting for people which are already working or just having fun in the webapplication security field but for example I’ll do something like this in a course for students because in this way, the get the point of finding XSS vulnerabilities, where they can find them and directly have some hands on training. This I think will be fun for them and it takes only about one hour and nearly no preparation.

About #3 you’re absolutely right, of course this have to be a blackbox testing because else the people can just compare the original sourcecode with the modified one and find all vulnerabilities very easy. The coolest way here of course would be if someone wrote a complete new application and then you can also offer the source to the participants which makes it much more interesting but I don’t think that there are so many webapp developers out there which would do that.

So #2 and #3 from my point of view can be interesting but you have to do it in a specific way with the right people and we don’t have to discuss about idea #1, of course it’s the most interesting and if someone is going to set up something like this, let me know

On #2; Its an interesting idea, but crawling over sites just to input "><b>test</b> everywhere isn’t exactly my idea of fun. Frankly that would bore me to tears honestly.

#3 is half way in between, in that sure you *can* put interesting vulns in there, but this is probably a black box approach, and so any interesting vulns there

So personally I’d probably only participate in #1, because I can see it being much more interesting than the other two where the vulns are just going to be the standard run of the mill attacks we deal with every day – either that or they’ll be almost impossible to find, and in #2, they might not even exist.