Kubernetes launches bug bounty program

Kubernetes launches bug bounty program

Researchers and regular users who uncover vulnerabilities in container orchestrator Kubernetes can now look forward to receiving a reward for letting the K8s team know. 

After an open evaluation and training period, the crew behind the CNCF-backed project has started a bug bounty program on HackerOne, offering as much as $10,000 for detailed information on critical issues. With interest in the project at an all-time high, and vulnerabilities affecting more and more sometimes critical infrastructure, the program is meant to “build up its community of security researchers and reward their hard work”.

Its scope mostly covers the core of Kubernetes with the team being specially interested in privilege escalation, authentication bugs, and remote code execution which are also reflected in the program’s tiering. Most money is reserved for users that can reproducibly report on bugs that allow the alteration of code without owner approval, as well as DoS attacks on release artifacts for generally available or beta features of the Kubernetes core, owned dependencies, and core add-ons.

While rewards on this first tier go from $200 (low severity) to $10,000 (critical), looking at non-core components like the dashboard or kube-adm should still be worth considering with bounties from $100 to $5,000 available. Reporting glitches in alpha features of the core or infrastructure components that don’t lead to artifact modification can bring in up to $2,500.

Participation is open to anyone who isn’t part of the Cloud Native Computing Foundation’s staff, the Kubernetes product security committee, or the HackerOne program team. In order to get a reward, reports have to be detailed enough to let the teams involved reproduce the issue in question. It also can’t be a duplicate of something already on record and won’t be considered for a prize if it was found using social engineering techniques.

Any reports handed in via the program will first be assessed by HackerOne who’ll also try to triage the issue to free up the capacity of the Kubernetes security experts. The product security committee however is still going to coordinate security releases and write patches. Adding more resources in the shape of the program seems like a good choice given Kubernetes’ popularity, especially since its creators have been known to admit that security hasn’t been a top concern when they started.

Although the bounty program has been in development for almost two years, its release at this point in time seems to perfectly mirror a heightened interest in security in the cloud native space as whole. In the last couple of weeks alone, the CNCF advanced two security related projects to their respective next levels, while the demand for security tooling keeps picking up.