**PLEASE READ BEFORE PRP REQUEST**: Notes to Patch Reward Program Participants

[magl0]

First of all, thanks everyone for your interest in this new patch reward program! 40+ requests in less than 24 hours are totally unexpected :)

The Tsunami Scanner Team would like to post several notes for both existing users and newcomers of the program:

• We are actively reviewing all the requests through our panel. But the volume of the requests is over the capacity of our panel members. So please be patient if you didn't hear back from us on your request.
• Many participants submitted several program requests. While we really appreciate your interests in our program, our panel will only be able to work on one issue at a time per participant to ensure the quality of the contribution. So in order to prevent double submissions and inactive issues blocking others from contributing, we kindly ask each participant to only submit one request at a time.

And regarding the plugin contributions:

• Please put all detector codes under the community folder. A GitHub Action will be set up shortly to enable the CI process for all PRs.
• For the vulnerability report from the plugin, please use TSUNAMI_COMMUNITY as the vulnerability publisher for consistency.
• In many requests, we've seen the verification plans to check whether the HTTP response codes are 200/400. Based on our experience, detectors are prone to false-positives if they only check for response codes. A very common symptom is false alarms on health check endpoints. These endpoints usually return response code 200 regardless of the request contents. So please use more reliable signals in your detector code for vulnerability verification, e.g. is there any application specific data you can check in response body/response header/etc?

[maoning]

Please run https://github.com/google/google-java-format against your Java files before starting the code review, this would greatly reduce review overhead due to linter errors.

[maoning]

Since last year we have made the following changes to the program to make it more sustainable and to support our contributors better:

PR Review Throughput

We are partnering with Doyensec to share the plugin review workload. They have been carefully vested and onboarded to the Tsunami ecosystem in the past 6 months. Some of you will start receiving review feedback from Doyensec members starting this week.

Plugin Contribution Opportunities

We have recently released a set of AI relevant Tsunami plugin requests (blog post, github label) to offer more plugin contribution opportunities to the community. We will continue doing so and welcome new plugin requests in the AI space.

Consistent Submission & Review Process

To make the review process more consistent & easier to do long-term test and debug, for new PRs, please submit your secure and insecure application configurations to the security-testbeds repo first. We also have more exciting plans for security-testbeds, stay tuned for future updates.