The Cloud Native Computing Foundation is inviting bug hunters to search for and report vulnerabilities affecting Kubernetes. Offered bug bounties range between $100 to $10,000.
What is Kubernetes?
Kubernetes is an open-source container-orchestration system for automating application deployment, scaling, and management.
It was designed by Google but has been open sourced and handed over to the Cloud Native Computing Foundation to continue its maintenance and has become a community project.
The Kubernetes bug bounty program
The program will be managed by HackerOne and reports will be investigated by a set of community volunteers.
Initially open just to invited researchers, the bug bounty program has now been opened to all who want to try their hand at discovering vulnerabilities in the 82 assets in scope, which span core Kubernetes and add-ons, Kubernetes-owned core dependencies, non-core components, and the Kubernetes infrastructure, including the main website and the Kubernetes build and test infrastructure.
A more granular list can be perused here.
“The bug bounty scope covers code from the main Kubernetes organizations on GitHub, as well as continuous integration, release, and documentation artifacts. Basically, most content you’d think of as ‘core’ Kubernetes, included at https://github.com/kubernetes, is in scope,” Google’s Maya Kaczorowski and Tim Allclair explained.
“We’re particularly interested in cluster attacks, such as privilege escalations, authentication bugs, and remote code execution in the kubelet or API server. Any information leak about a workload, or unexpected permission changes is also of interest. Stepping back from the cluster admin’s view of the world, you’re also encouraged to look at the Kubernetes supply chain, including the build and release processes, which would allow any unauthorized access to commits, or the ability to publish unauthorized artifacts.”
Kaczorowski also pointed out that this program is a bit different from standard bug bounties, as there isn’t a ‘live’ environment for bug hunters to test.
“Kubernetes can be configured in many different ways, and we’re looking for bugs that affect any of those (except when existing configuration options could mitigate the bug),” she added.