The Kubernetes Product Security Committee has launched a new bug bounty program, funded by the the Cloud Native Computing Foundation (CNCF), to reward security researchers for finding vulnerabilities in the Kubernetes codebase and build and release processes. The bounties range from $100 to $10,000.
Originally designed by Google and now hosted by the CNCF, Kubernetes is an open source container orchestration system for automating application deployment, scaling, and management. Bug bounty programs are increasingly used by organisations to improve the security of their products. These programs provide an incentive for researchers (white hats or threat hunters) to responsibly disclose software bugs, allowing security teams to crowdsource vulnerability testing.
The CNCF started discussing the idea of an official bug bounty program in early 2018. Google open-sourced Kubernetes in 2014. It recently proposed the bug bounty program, completed vendor evaluations, defined its initial scope, and tested the new process and onboarded bug bounty program platform, HackerOne. The goal is to drive awareness of Kubernetes' security model and reward ongoing efforts in the community to secure the framework. In August 2019, the CNCF formed the Security Audit Working Group and conducted Kubernetes' first security audit. This helped to identify general weaknesses and critical vulnerabilities. The Kubernetes bug bounty program has been in private testing for several months with invited researchers able to submit bugs and test the triage process. It is now open to all security researchers. Maya Kaczorowski and Tim Allclair, both from Google, said in their announcement on behalf of the Kubernetes Product Security Committee:
What's exciting is that this is rare: a bug bounty for an open-source infrastructure tool. Some open-source bug bounty programs exist, such as the Internet Bug Bounty, this mostly covers core components that are consistently deployed across environments; but most bug bounties are still for hosted web apps. In fact, with more than 100 certified distributions of Kubernetes, the bug bounty program needs to apply to the Kubernetes code that powers all of them. By far, the most time-consuming challenge here has been ensuring that the program provider (HackerOne) and their researchers who do the first line triage have the awareness of Kubernetes and the ability to easily test the validity of a reported bug. As part of the bootstrapping process, HackerOne had their team pass the (CKA) exam.
The bug bounty scope covers code from the main Kubernetes organisations on GitHub, as well as continuous integration, release and documentation artefacts. The CNCF is particularly interested in cluster attacks, such as privilege escalations, authentication bugs, and remote code execution in the kubelet or API server. They are similarly interested about any information leak about a workload, or unexpected permission changes. Security researchers are also encouraged to look at the Kubernetes supply chain, including the build and release processes, which would allow any unauthorised access to commits, or the ability to publish unauthorised artefacts.
The community management tooling (the Kubernetes mailing lists and Slack channel) as well as container escapes, attacks on the Linux kernel, or other dependencies are out of scope. Out of scope Kubernetes vulnerabilities should be disclosed privately to the Kubernetes Product Security Committee, a group of security-focused maintainers who receive and respond to reports of security issues. Whether they receive initial triage and assessment from HackerOne or do it themselves for out of scope issues, these maintainers will assess impact and generate and roll out a fix.
Rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard) and are broken into three tiers: core Kubernetes, non-core components and Kubernetes infrastructure. Access the program rules on GitHub here.