The Cloud Native Computing Foundation (CNCF) immediately introduced it’s funding a bug bounty program for Kubernetes. Security researchers who discover safety vulnerabilities in Kubernetes’ codebase, in addition to the construct and launch processes, will likely be rewarded with bounties starting from $100 to $10,000.

Bug bounty applications inspire people and hacker teams to not solely discover flaws however disclose them correctly, as a substitute of utilizing them maliciously or promoting them to events that can. Originally designed by Google and now run by the CNCF, Kubernetes is an open supply container orchestration system for automating utility deployment, scaling, and administration. Given the a whole lot of startups and enterprises that use Kubernetes of their tech stacks, it’s considerably cheaper to proactively plug safety holes than to cope with the aftermath of breaches.

Although Google open-sourced Kubernetes in 2014, the corporate has (unsurprisingly) been concerned within the bug bounty from day one. Google proposed the program, accomplished vendor evaluations, outlined its preliminary scope, examined the brand new course of, and onboarded bug bounty program vendor HackerOne. The CNCF began discussing the thought of an official bug bounty program in early 2018. The purpose is to drive consciousness of Kubernetes’ safety mannequin and reward ongoing efforts in the neighborhood to safe Kubernetes. In August 2019, the CNCF shaped the Security Audit Working Group and carried out Kubernetes’ first security audit, which helped establish normal weaknesses to vital vulnerabilities. The Kubernetes Bug Bounty was in non-public testing for a number of months with invited researchers capable of submit bugs and check the triage course of. It’s now open to all safety researchers.

Scope

A bug bounty for an open supply infrastructure software is uncommon. Given that there are greater than 100 licensed distributions of Kubernetes, the bug bounty program wants to use to the Kubernetes code that powers all of them. HackerOne had its staff move the Certified Kubernetes Administrator examination to assist members perceive how one can check the validity of a reported bug.

The bug bounty scope covers code from the primary Kubernetes organizations on GitHub, in addition to steady integration, launch, and documentation artifacts. The CNCF is especially concerned about cluster assaults, comparable to privilege escalations, authentication bugs, and distant code execution within the kubelet or API server. The identical goes for any data leak a few workload, or sudden permission modifications. Security researchers are additionally inspired to have a look at the Kubernetes provide chain, together with the construct and launch processes, which might permit any unauthorized entry to commits, or the power to publish unauthorized artifacts.

The neighborhood administration tooling (the Kubernetes mailing lists and Slack channel) in addition to container escapes, assaults on the Linux kernel, or different dependencies are out of scope. Out of scope Kubernetes vulnerabilities needs to be disclosed privately to the Kubernetes Product Security Committee, a gaggle of security-focused maintainers who obtain and reply to stories of safety points in Kubernetes. Whether they obtain preliminary triage and evaluation from HackerOne or do it themselves for out of scope points, these maintainers will assess affect and generate and roll out a repair.

Bounties

The bug bounties are damaged into three tiers. The first tier is Core Kubernetes:

  • GA & Beta options of core Kubernetes (e.g. k8s.io/kubernetes & staging) or Kubernetes-owned core dependencies (e.g. k8s.io/klog), in addition to core addons (kube-proxy).
  • The potential to change supply code with out OWNER approval, or modify launch artifacts.
  • DoS assaults on launch artifacts, together with k8s.gcr.io or dl.k8s.io.

Rewards rely upon the severity of the safety gap: Critical ($10,000), High ($5,000), Medium ($1,000), and Low ($200).

The second tier is for GA and Beta options of non-core GA elements (e.g. CSI drivers, k8s.io/dashboard, kube-adm). Rewards on this tier are all decrease: Critical ($5,000), High ($2,500), Medium ($500), and Low ($100).

The third tier is for Kubernetes infrastructure (e.g. k8s.io, prow, documentation) and alpha options of core Kubernetes. The exception for the previous is {that a} Kubernetes infrastructure compromise resulting in code/artifact modification falls beneath the primary tier. Rewards on this tier are even decrease: Critical ($2,500), High ($1,250), Medium ($250), and Low ($100).

If you’re a safety researcher new to Kubernetes, it is best to take a look at the hardening guides and CIS benchmarks.