14 DAY TRIAL // The Kubernetes bug bounty program has officially become available for all researchers after previously launching only for a limited number of invited security experts.
The program, which runs on HackerOne, comes with rewards that start at $100 and go all the way up to $10,000 if the found security flaw affects the core Kubernetes engine.
According to the official bug bounty guidelines posted here, the maximum $10,000 payment is offered for a critical vulnerability that exists in GA and beta features of core Kubernetes, Kubernetes-owned core dependencies, or core add-ons, and include the ability to alter the source code without owner approval or launch DoS attacks on release artifacts.
Rapid payments
Maya Kaczorowski and Tim Allclair, both from Google, says that while all vulnerability reports are welcome, there are some flaws that researchers look after with the help of the bug bounty program.
“We’re particularly interested in cluster attacks, such as privilege escalations, authentication bugs, and remote code execution in the kubelet or API server. Any information leak about a workload, or unexpected permission changes is also of interest. Stepping back from the cluster admin’s view of the world, you’re also encouraged to look at the Kubernetes supply chain, including the build and release processes, which would allow any unauthorized access to commits, or the ability to publish unauthorized artifacts,” they say.
Kubernetes was launched by Google, but is currently maintained as an open-source project by the Cloud Native Computing Foundation.
Kunerbenetes’ Product Security Committee will still take care of developing fixes and releasing patches following reports received via HackerOne. The team promises the first response to a report would be offered in 1 day, while a maximum of 10 days will be allocated for triaging reports. Another 10 days will be required for paying the bounty.
Full information on the bug bounty program is available on the page linked above and in the public announcement here.