Google Launches Reward Program For Tsunami Security Scanner

The programme gives financial prizes of up to $3,133.

The Tsunami Security Scanner is the focus of a new Google development effort.

Members of Google’s vulnerability management team, Guoli Ma, Sebastian Lekies, and Claudio Criscione, claimed in a blog post on September 28 that the new tool is designed to strengthen Tsunami’s security detection skills.

The Tsunami Security Scanner was previously an internal Google tool before being launched and made available to the public in July 2020.

The scanner is intended to scan big company networks for open ports before cross-checking vulnerability exposure based on the first reconnaissance findings. Users can install plugins to check for specific security issues. Tsunami can also look for basic security flaws, such as the usage of insecure enterprise credentials.

According to Google, the new, experimental programme would award patch incentives to researchers who create plugins and application fingerprints. Contributors to the former are asked to create plugins for enhanced vulnerability detection, while the latter is looking for web application modules to detect off-the-shelf web apps in a business network.

High and critical-severity flaws that can have a real-world impact on business security are of particular interest to the company.

“The vulnerability should have a high or critical severity rating if there is already a CVE ID assigned (CVSS score >= 7.0),” Google says. “If there is no severity assigned yet, the Tsunami scanner team will perform the triage and determine the severity. This usually includes vulnerabilities like Remote Code Executions (RCEs), arbitrary file uploading, security misconfigurations that result in the exposure of sensitive admin panels, and so on.”

Tsunami, according to the tech giant, also requires more fingerprint data for popular online apps that may include defects that compromise the security of a larger network. If IT teams are unaware that they exist, they may be neglected during patching processes.

Google’s vulnerability management team is in charge of the contributions.

In July, Google announced the launch of https://bughunters.google.com, a new bug bounty programme. To make the vulnerability disclosure process easier, the resource site brings together all of the firm’s Vulnerability Rewards Programs (VRPs), including Google, Android, Abuse, Chrome, and Play.

The in-scope lists for contributions to open source tools and Tsunami can be found on this platform for anyone interested in the Tsunami programme.

The financial benefits vary. Google is willing to pay a flat charge of $500 for each fingerprint added to Tsunami’s database for web application fingerprints. Depending on the severity of a vulnerability and whether or not it is emergent, up to $3,133 is available for plugins.