Securing Kubernetes: Bug bounty program announced

Kubernetes, the container orchestration program, has become hotter than hot. Everyone — and I mean everyone — is adopting it. But with quarterly major updates and everyone rushing to deploy it, security is a real worry. Thus, the Kubernetes Product Security Committee, funded by the Cloud Native Computing Foundation (CNCF) is launching a new bug bounty program to reward Kubernetes security bug hunters.

The bug bounty program has been in a private beta release for several months now. Almost two years since the initial proposal, the program is now ready for all security researchers.

Kubernetes already has a robust security team and response process, further cemented by the recent Kubernetes security audit. We have a stronger and more secure open-source project than we’ve ever had before. By launching a bug bounty program, we’re putting our money where our mouth is – and most importantly, rewarding the researchers already doing this important work. We hope to attract additional security researchers to get more eyes on the code, shakeout security bugs, and back up our work on Kubernetes security with financial support.

This bug bounty program will be operated by HackerOne, a self-proclaimed hacker-powered security company. To successfully run the program, the HackerOne team are all Certified Kubernetes Administrators (CKA). This isn’t an easy job. There are over 100 certified distributions of Kubernetes, and the bug bounty covers all their Kubernetes code.

Specifically, the bug bounty covers the main Kubernetes code kept on GitHub. It also watches over continuous integration, release, and documentation artifacts. In particular, they’re looking for security holes which could lead to cluster attacks. This includes privilege escalations, authentication bugs, and remote code execution in the kubelet or API server.

They’re also looking for workload information leaks or unexpected permission changes. Security researchers are also encouraged to look at the Kubernetes supply chain, including the build and release processes.

What it doesn’t cover is the community management tooling, like the Kubernetes mailing lists or Slack channel. Container escaLinuxpes, attacks on the Linux kernel, or other dependencies, such as etcd, are also out of scope and should be reported to their security teams. That said, they still want to hear about any Kubernetes vulnerability, even if not in scope for the bug bounty. These should be disclosed privately to the Kubernetes Product Security Committee.

Awards for security holes found in core Kubernetes programs will range from $200 for low priority problems to $10,000 for uncovered critical problems.