On September 28, Guoli Ma, Sebastian Lekies, and Claudio Criscione, members of Google’s vulnerability management team, said in a blog post that the new program is designed to improve Tsunami’s security detection capabilities.
The Tsunami Security Scanner, open sourced in July 2020, was originally an internal Google tool and has since been published and made available to the public.
The scanner is designed to check large-scale enterprise networks for open ports and then to cross-check vulnerability exposure based on the initial reconnaissance results. Plugins can be implemented by users to check for specific security flaws. Tsunami can also check for basic security issues including the use of weak enterprise credentials.
Google says that the new, experimental program will give researchers patch rewards for creating plugins and application fingerprints. The former requires contributors to develop plugins that can be used for enhanced vulnerability detection, whereas the latter asks for web application modules that can be used to detect off-the-shelf web apps in an enterprise network.
The company is most interested in high and critical-severity bugs that can have a real-world impact on enterprise security.
“The vulnerability should have a high or critical severity rating if there is already a CVE ID assigned (CVSS score >= 7.0),” Google says. “If there is no severity assigned yet, the Tsunami scanner team will perform the triage and determine the severity. This usually includes vulnerabilities like Remote Code Executions (RCEs), arbitrary file uploading, security misconfigurations that result in the exposure of sensitive admin panels, and so on.”
The tech giant says that Tsunami also needs more fingerprint data for popular web apps which may contain bugs that impact the security of a wider network. If IT teams do not realize they are present, this could mean they are overlooked in patch processes.
Contributions are overseen by Google’s vulnerability management team.
In July, Google announced a new bug bounty platform, https://bughunters.google.com. The resource center brings together all of the firm’s Vulnerability Rewards Programs (VRPs), including Google, Android, Abuse, Chrome and Play to streamline the vulnerability disclosure process.
It is on this platform that those interested in the Tsunami program can find the in-scope lists for contributions to open source tools and Tsunami.
Financial rewards vary. For web application fingerprints, Google is willing to pay a flat fee of $500 for each fingerprint added to Tsunami’s database. When it comes to plugins, up to $3,133 is on offer, depending on the severity of a vulnerability and whether or not it is emergent.
.Previous and related coverage
HackerOne expands Internet Bug Bounty project to tackle open source bugsGoogle announces new bug bounty platformThe Graph Foundation launches bug bounty program
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0