The Cloud Native Computing Foundation (CNCF) has announced it is funding a bounty program for discovering security bugs in any distribution of Kubernetes.
Maya Kaczorowski, product manager for container security at Google, says the program will pay researchers a bounty of $100 to $10,000 for each bug validated by HackerOne, which provides a platform for managing bug bounty initiatives.
The goal, she says, is to encourage cybersecurity researchers to look for bugs that impact Kubernetes without overwhelming the members of the Kubernetes Product Security Committee with claims of discoveries that have not been triaged or validated.
The bug bounty program covers code from the main Kubernetes organizations on GitHub, as well as any continuous integration, release and documentation artifacts. Kaczorowski says the Kubernetes Product Security Committee is especially interested in cluster attacks that involve, for example, privilege escalations, authentication bugs and remote code execution in the kubelet or API server. Any information leak about a workload or unexpected permission changes is also of interest. In addition, the Kubernetes Product Security Committee is encouraging researchers to focus on any aspect of the Kubernetes supply chain, including the build and release processes, that could allow any unauthorized access to commits or an ability to publish unauthorized artifacts.
However, issues such as those that pertain to the operating systems on which Kubernetes distributions are deployed are not covered under the program.
The CNCF bug bounty program has been under development since 2018. However, because no one within the Kubernetes community is dedicated to working on this issue full-time, Kaczorowski says it’s taken some time to set up and vet the program with HackerOne.
Despite not having a dedicated team in place, Kaczorowski says Kubernetes security is robust and the bounty program is intended to attract additional third-party researchers to supplement those efforts. The Kubernetes Product Security Committee will then sign non-disclosure agreements with researchers to determine the timing for disclosing any bugs that are discovered and the existence of any patches that may be required, she says.
This latest bug bounty program is similar in scope to other vulnerability rewards program (VRP) that Google participates in, Kaczorowski adds. Google also recently expanded its Patch Rewards program to compensate cybersecurity researchers for their work on open source projects.
As is the case with any large-scale software project, disclosures of cybersecurity flaws are always going to be fraught with challenges. Many IT organizations resent the pressure created to patch IT environments, especially if they are running several release cycles behind on any platform. As part of embracing best DevOps practices, the CNCF has been encouraging organizations to stay as current on Kubernetes distributions as possible. The fact remains, however, that many organizations are running instances of Kubernetes based on versions that are well older than a year. In fact, it’s not uncommon now for bugs relating to older versions of software to now be routinely discovered long after they were initially rolled out. However, given the relative age of Kubernetes, that should for now at least be less of an issue in cloud-native computing environments.