Earlier this week, in a statement, Google declared that it is issuing cash payouts to persons who help the company increase the detection capacities of its new security scanner called Tsunami.
Google’s Team states that they hope that this program will enable them to rapidly extend the detection capabilities of the tech giant’s network scanner to better help its users and unearth more weaknesses in their network infrastructure.
Google’s experimental reward program for Tsunami is at the moment accepting two kinds of contributions, namely vulnerability detection add-ons as well as web app fingerprints.
- Vulnerability detection add-ons are meant for expanding this network security scanner’s detection capability. This is ideally intended for any developer interested in assisting this project by adding new weakness detection add-ons.
- Web app fingerprints are meant for detecting popular off-the-shelf web apps. This goal is achieved by likening app fingerprints against a database of known app fingerprints. As a result, more fingerprint data is required for this approach to support more web apps.
An adequate contribution to the web app fingerprints should include:
- A prebuilt fingerprint database file of an exposed web app for variants still used a lot in public. Google has already rolled out tools to help create this database file.
- An automation shell script to refresh the prebuilt fingerprint database when there is a fresh rollout of the web application.
All add-on contributions will be reviewed by a panel of associates selected from Google’s Vulnerability Management Team.
Being an open-source general usage network security scanner, Google’s Tsunami is meant to address the specific challenges that organizations face in an attempt to identify misconfigurations and weaknesses in their networks. In such hyper-scale environments, security vulnerabilities must be detected and resolved in an entirely automated fashion.
Google Tsunami is designed as an extensible network scanning tool that’s easy to implement. However, this scanner massively depends on plugins to detect high-severity security bugs, and it supports a curated set of weaknesses.
New add-ons are expected to help this network security scanner find fresh security threats in the networks it scans. Google is encouraging all interested developers to submit their proposals.
The prize amount will be determined by the quality of the weakness, its brutality as well as its time sensitivity. The final amount will be determined at the discretion of Google’s reward panel. The reward amounts provided by Google for this program are as follows:
- Up to 1,337 USD for regular weaknesses that are highly rated.
- Up to 1,500 USD for regular weaknesses that are critically rated.
- Up to 2,000 USD for emergent weaknesses that are highly rated.
- Up to 3,133.7 USD for emergent weaknesses that revealed themselves over the course of the past two weeks that are critically rated.
- A flat amount of 500 USD for each web app fingerprint as well as the equivalent automation scripts.
Google also notes that it included fresh web app fingerprint capabilities to the Tsunami Network Security Scanner only a couple of months ago. Google is now attempting to increase the scanner’s ability to detect ready-to-use web apps.
As illustrated above, the more fingerprints added to the database, the more the scanner will be capable of supporting more web apps. In addition, Google says that its patch reward program will be repeated to ensure that as many developers as possible can participate in this venture.
Like any other security reward program, developers can opt to donate their rewards to charity, and Google will double any amount donated by developers. Prizes not claimed after 12 months will be automatically donated to a charity chosen by Google.
To learn more about the patch reward program, you can check out Google’s official rules and guidelines on the company’s Bug Hunters website. Also, if you have any queries or suggestions for the program, feel free to reach out to Google via firstname.lastname@example.org.
Source : HackerCombat