Notice: The Nmap Project won't be participating in GSoC 2019. We are taking a hiatus, as described here. We love the program and will likely participate again in future years, so please keep us in mind in the future. The information on this page is all old stuff from our last GSoC in 2017.

Nmap Summer of Code Introduction

The Nmap Security Scanner Project is one of only 7 organizations to participate in all thirteen Google Summers of Code. This innovative and extraordinarily generous program provides up to $6,600 USD stipends to 1,000+ college and graduate students each year to create and enhance open source software during their summer break. Students gain valuable experience, get paid, strengthen their résumé, and write code which will be distributed freely and used by millions of people! It has been a huge success for us and the 78 student participants we've mentored over

Nmap Summer of Code Introduction

The Nmap Security Scanner Project is one of only 7 organizations to participate in all thirteen Google Summers of Code. This innovative and extraordinarily generous program provides up to $6,600 USD stipends to 1,000+ college and graduate students each year to create and enhance open source software during their summer break. Students gain valuable experience, get paid, strengthen their résumé, and write code which will be distributed freely and used by millions of people! It has been a huge success for us and the 78 student participants we've mentored over the years. Google published a great story by one of our alumni in his own words explaining how GSoC changed his life for the better, and we also publish our success stories every year. So we're delighted and excited that Google has selected us again in 2017!

Nmap is a free tool for network exploration or security auditing. Several project ideas are suggested below, or you can come up with your own clever project. Maybe there is a feature that you have wanted for years, but nobody has yet stepped up to the plate to implement it.

Almost all college and graduate students are eligible, but you need to hurry because student applications are only accepted until Monday, April 3, 16:00 UTC (complete timeline). Applications can be submitted from our org profile page (the "Getting Started" link). We have written some tips for preparing a great application. If you apply (or plan to), please join the temporary Nmap SoC mailing list to receive announcements. If you have any questions about your ideas, the best place to post them is the Nmap Dev mailing list (you can join here or read the archives online). Questions specific to the Nmap SoC program may be sent to Nmap Dev or SoC lists, but we recommend Nmap Dev if the post is technical in nature.

Note that there are some basic requirements which apply to all sponsored projects.

Project Ideas

While you may submit a proposal for any cool idea your heart desires, here are some suggestions that we consider extremely desirable for the Nmap project and its users:


Testing/Automation Specialist

Key requirements: C/C++ skills, software engineering and test writing experience.

The Nmap Project is a fairly large code base, about 20 million lines of code including bundled third-party libraries. We have some rudimentary regression tests, but only for some components (Nsock, Ncat, and Zenmap). We're looking for someone who can implement an easy-to-use test system that can run on the various platforms we support (Windows, Linux, OS X, etc.) so we can be sure that the code does what it intends to do.

While the primary purpose of this role is to implement testing for Nmap's C++ codebase, we would also give consideration to someone willing to clean up Zenmap's existing tests, written in Python 2.

Performance/Optimization Specialist

Key requirements: Strong C++, algorithm, data structure, benchmarking, and code analysis skills.

We at the Nmap project pride ourselves at writing fast, efficient code, but there is always room for improvement. We're looking for someone who can do a deep dive into Nmap and find ways to improve the user experience by increasing speed and reducing resource (memory, CPU, network) usage. But we don't want to dramatically increase code complexity or cause other major maintenance headaches either.

For this role, deciding what to do will probably involve as much or more work than actually doing that. It will take careful analysis to determine what changes are likely to provide the most postive effect for users for a given amount of work.

The person in this role may also help with our large-scale scanning research to collect empirical data for improving performance, and/or analyze existing large data sets such as the Carna botnet. You will also want to take a close look at "competitive" scanning tools which focus on performance, such as Masscan and Zmap.

Here are some example tasks:

More ideas are on the SecWiki GSoC community ideas page.

Applications for this position should focus on your relevant optimization skills and experience as well as any ideas you have for improving Nmap performance.

Nmap Scripting Engine—Script Developer

Key requirements: Know or quickly learn the (simple) Lua scripting language. Have significant network security and/or network administration skills. Experience with the C and C++ languages is a plus.

In 2006, Diman Todorov worked as a GSoC student with Nmap author Fyodor to create the Nmap Scripting Engine (NSE). It has become one of Nmap's most popular and powerful features, allowing users to write (and share) simple scripts to automate a wide variety of networking tasks. We now have more than 550 scripts, all documented at the NSEDoc Reference Portal. They run the gamut from simple discovery tasks like whois lookups, retrieving web site titles, and banner grabbing, to complex functions like spidering a web server to find SQL injection vulnerabilities and brute force authentication cracking of MSRPC (SMB) servers. For a fun 38-minute introduction to NSE, see Fyodor and David Fifield's 2010 Defcon presentation video.

It is time we make the most of this fast and powerful scripting system! We need talented, creative developers to identify useful scripts (through research and community input) and then implementing them. We already have many candidate script ideas on our wiki.

The script developers will also likely write some new libraries since general code that many scripts are likely to use belongs in libraries rather than the scripts themselves. Developers will also help with testing and reviewing each other's scripts as well as those submitted by the Nmap community. They may also have opportunities to improve the NSE engine and infrastructure itself (this is where the C/C++ experience helps).

In previous years we have sponsored up to 3 script developers in a single summer, but number of positions are determined by the number of available mentors and Google's slot allocations. Please specify your preferences among the following development roles:

While script developers may have specialties, they won't focus exclusively on that single niche. Sometimes priorities or workload balancing will dictate that they work on scripts or libraries which don't precisely match their NSE specialty.

Feature Creeper and Bug Wrangler

Key requirements: Strong C/C++ skills. Python and Lua skills are valuable as well.

There are many Nmap bugs and desired features which are quite important but take much less than a whole summer to implement. Some may only take hours, while others could take weeks or even a month. The feature creeper and bug wranglers handle many such tasks during the summer. This lets them explore and contribute to a wide variety of the Nmap code base rather than spending the whole summer working on just one subsystem. The exact tasks won't all be itemized in advance, but you can look at our bug tracker or the Nmap TODO list for the current list of pending tasks. Also see the community ideas page. If you apply for this task, you might mention several of the TODO items which you would be interested in and qualified for. Here are some more ideas:

Rather than take a specific role (bug wrangler or feature creeper), the individual(s) sponsored for this position will do some of each. If you have ideas for small feature-creeping/bug-wrangling tasks, we'd love to hear about them in your application.

Password security wizard

Key requirements: Solid networking skills and programming experience. C/C++ and Lua are the most important languages for this project (Lua is easy to learn). Performance optimization experience is helpful as well.

One of the biggest weaknesses in many major networked systems is the lowly password. No matter how high the general security "walls" are bult up, they're useless if an attacker can compromise a password and get in through the front door. And even if 99% of the passwords are good, it only takes that 1% of weak/default passwords to let the bad guys in.

For these reasons, the Nmap Project has developed a number of systems to allow organizations to test their passwords for security by brute force authentication cracking. One is the Ncrack tool, which was developed by Fotis Hantzis (Ithilgore) and Fyodor during a previous Summer of Code. But this Summer, our focus is improving the brute force authentication cracking ability of Nmap's native Nmap Scripting Engine.

The Nmap Scripting Engine currently has more than 70 scripts in our authentication checking ("brute") category. We also offer the brute library and a creds (credentials) library to make writing and maintaining these scripts easier. But there is plenty of room to make the system faster, more comprehensive, and more useful. While the exact tasks to do this summer will be worked out between the mentor and selected student, here are some ideas of valuable work for helping to close the persistent security risk:

The most likely mentor for this task would be Ncrack author Fotis Hantzis (Ithilgore).

Nping developer

Key requirements: C++ programming and software engineering skills.

Nping is the Nmap Project's tool for network packet generation, response analysis and response time measurement. It was developed during GSoC 2009 and 2010 by Luis MartinGarcia, and has grown to be an integral part of Nmap's tool suite. Unfortunately, the code is showing some neglect, with issues piling up and no new features added in several years. A bug hunter's paradise! We're eager to get these issues cleaned up and come up with new and exciting ways of using Nping.

A successful application will show an understanding of some of the problems Nping is facing and ideas for ways to solve them. Many bug fixes are already implemented in a development branch, so a plan of how to merge those changes in would be important, too.

Your Own Creative Idea!

Key requirements: Creativity

Don't feel constrained to the ideas we have suggested here. If you are very familiar with Nmap and have your own great idea for improvement, propose it! There will be dozens of applicants for each position listed on this page, but your suggestions have less competition. Before writing a whole proposal, we recommend that you send a paragraph or two describing your idea to the nmap-dev list for feedback. Also, the idea does have to be directly related to Nmap or its family of tools (Ncat, Ndiff, etc.) We're not going to sponsor unrelated security projects.

Note that even if we don't accept your project idea (maybe the timing is not right or it doesn't quite fit into the Nmap roadmap), we will consider you for other Nmap projects if possible. We pay close attention to the credentials of every applicant and are happy to work with anyone with exceptional talent to find a project which is highly desirable to them and to the Nmap project. So even submitting your own "long shot" idea is often more successful than cut and pasting one of the canned ideas on this page.

Community-contributed Ideas

Key requirements: Varies

If nothing yet has tickled your fancy and you don't want to propose your own idea from scratch, consider some of the community-contributed ideas on our wiki. Or feel free to add your own ideas there, even if you don't plan to apply for Nmap SoC.

In addition, we have many candidate ideas in the Nmap TODO list and the bug tracker.

Ready to apply? Great! Please visit our SoC Application Notes page for instructions.