Contribution guide

From SecWiki
Jump to: navigation, search


(this is a bit modified version of the response I gave to Shamika Dharmasiri in 2014 in this thread: ; feel free to modify it as you see fit though)

Glad to hear you're interested in contributing! :) Apparently you already took the first step and subscribed to our mailing list. The question you asked is actually quite common on our IRC channel (#nmap on and as far as I know, there's no official answer. Since I had the same problem a few months ago, I figured I'd at least describe my experiences, perhaps you'll like my suggestions.

Whoever you ask, you'll probably hear to start small if you have no experience. When I decided to try joining the Nmap community, my knowledge of C was mostly theoretical and I didn't know the codebase, nor the Nmap features. There's a lot to learn. Thus my first suggestion - read the documentation first (or even better, Fyodor's book - partially available for free at, grab the latest copy of Nmap and try just running stuff. See what you're interested in.

Once you've done that, I'd suggest you to take a look at Nmap's TODO file. You can find it here:

Nmap maintainers care a lot about the quality of the code, especially its security. Keep in mind that if you intend to write a patch, it's unlikely that it will be merged in right away. Expect constructive criticism. You might be asked for a test case, an update for the documentation, perhaps some fixes to the Windows code if it got broken by the feature you wrote.

Don't get discouraged, though. There are spots where you can write a patch that will be easily mergable. There's probably quite a few bugs in the programs that are waiting to be spotted and fixed - it usually takes a few lines of code to get them right.

In my case, when I wanted to write something that has a high chance of getting accepted, I decided to translate Zenmap, our awesome GUI frontend for Nmap scanner, to Polish. It's not like I love translating things, but I knew that basically nobody likes that so the work would probably be appreciated. For example, if you are from Sri Lanka, according to Wikipedia there are potentially two languages you could prepare the translations to. It should take you about 3-6 hours and I guarantee you that you'll learn a lot about Nmap in the process.

IMHO by far the greatest way to contribute to Nmap and learn a humongous lot about both the project and software development/open source community mechanisms is to participate in Google Summer of Code. In case you hadn't heard of it, GSoC is an annual stipend, in which students work full time remotely on the project they chose. The ones that pass the program (which isn't difficult if you actually work) will get a reward of 5500$ for 3 months of coding. You will be assigned a mentor and I can gurantee you that Nmap staff is very experienced and will help you out in difficult situations and teach you a lot. It's a great program and I definitely recommend you to read up on it. If you're motivated, you're very likely to get accepted. See their website at:

The last thing I'd like to point out is that coding and/or translating things are not the only ways to participate in Nmap community. Among other things, we need discussion, ideas, feedback, testing. There is a lot of subprojects being maintained as a part of Nmap (I, for one, mostly contributed to Ncat, Nmap's greatly improved netcat clone) and if none of them suits your need, you're welcome to start your own one, provided that you comply to the license. If you also know some uncommon server or protocol, you might want to try writing an NSE script or a probe that checks for it. The documentation is quite detailed and writing NSE scripts is really fun! :)

As for your web development skills, there was once a project of a website that allows the user to manage Nmap scans through a website. I don't know the details, so you might need to do some research on your own to find it. I think it was a GSoC project and it could be written in PHP, but I'm really not sure about these.

I could probably go on and on, but I think I'll end there. Should you have any further questions, let me know and I'll answer you, most preferably on this mailing list, so that other potentially interested newbies might hear the answers as well. Keep in mind though that it might sometimes take some time to get a reply - from time to time, even a few weeks of delay happen to be normal.

So, good luck and see you on the mailing list! I'm looking forward to reading your first patch :)

Yours, Jacek Wielemborek