Google this week announced that it is offering monetary payouts to individuals who help expand the detection capabilities of the Tsunami security scanner.
Two types of contributions are currently accepted in the experimental reward program, namely vulnerability detection plugins and web application fingerprints.
An open-source general purpose network security scanner, Tsunami is meant to help organizations identify vulnerabilities and misconfigurations in their networks in an automated manner.
Designed as an extensible network scanning engine and easy to implement, the scanner heavily relies on plugins for the discovery of high-severity security bugs, and supports a curated set of vulnerabilities.
New plugins are expected to help Tsunami detect new security issues in scanned networks, and all interested contributors are encouraged to submit their projects.
Submissions will be reviewed by panel members in Google’s Vulnerability Management team and payout amounts will be awarded based on quality, vulnerability severity and time sensitivity. The maximum reward is $3,133.7, for critical vulnerabilities that came to light within the past two weeks.
Google added new web application fingerprinting capabilities to Tsunami only months ago, and is now looking to expand the scanner’s ability to detect off-the-shelf web applications. As more fingerprints are added to its database, the scanner will be able to support more web apps.
A flat $500 reward will be paid for each new application that is added to the database.
The new patch reward program, Google says, will run in iterations, to ensure that as many people as possible can participate. Those who choose to do so, may donate their rewards to charity, just as with other reward programs.
Additional information on the Patch Reward Program for the Tsunami project is available on Google’s Bug Hunters website.
Related: Google Helps OSTIF Boost Security of Open Source Projects
Related: Google Paid Over $29 Million in Bug Bounty Rewards in 10 Years
Related: Google Intros SLSA Framework to Enforce Supply Chain Integrity