The Cloud Native Computing Foundation (CNCF) today announced its first bug bounty program for Kubernetes, the ubiquitous container orchestration system originally built by Google. To run this program, the CNCF is partnering with Google and HackerOne and bounties will range from $100 to $10,000.
Kubernetes already has a Product Security Committee that includes engineers from Google's own Kubernetes security team, and there are obviously plenty of eyes on the code. A bounty program, however, will get more (and new) security researchers to examine the code and help reward those who are already doing this work.
“Kubernetes already has a robust security team and response process, further cemented by the recent Kubernetes security audit," said Maya Kaczorowski the product manager for container security at Google. "We have a stronger and more secure open-source project than we’ve ever had before. By launching a bug bounty program, we’re putting our money where our mouth is -- and most importantly, rewarding the researchers already doing this important work. We hope to attract additional security researchers to get more eyes on the code, shakeout security bugs and back up our work on Kubernetes security with financial support.”
The bounty includes all of the core Kubernetes components in its GitHub repository. Specifically, the team notes, it is interested in authentication bugs, potential privilege escalations and remote code execution bugs in the kubelet and API server. The CNCF also stresses that researchers are encouraged to look at the overall Kubernetes supply chain. You can find the exact details of how the program and rewards are structured here.