Kubernetes, the open-source container management system, has opened up its formerly private bug bounty program and is asking hackers to look for bugs not just in the core Kubernetes code, but also in the supply chain that feeds into the project.
The new bounty program is supported by Google, which originally wrote Kubernetes, and it’s an extension of what had until now been an invitation-only program. Google has lent financial support and security expertise to other bug bounty programs for open source projects. The range of rewards is from $100 to $10,000 and the scope of what’s considered a valid target is unusual.
“The bug bounty scope covers code from the main Kubernetes organizations on GitHub, as well as continuous integration, release, and documentation artifacts. Basically, most content you’d think of as ‘core’ Kubernetes, included at https://github.com/kubernetes, is in scope. We’re particularly interested in cluster attacks, such as privilege escalations, authentication bugs, and remote code execution in the kubelet or API server. Any information leak about a workload, or unexpected permission changes is also of interest,” said Maya Kaczorowski and Tim Allclair of Google.
“Stepping back from the cluster admin’s view of the world, you’re also encouraged to look at the Kubernetes supply chain, including the build and release processes, which would allow any unauthorized access to commits, or the ability to publish unauthorized artifacts.”
"With more than 100 certified distributions of Kubernetes, the bug bounty program needs to apply to the Kubernetes code that powers all of them."
Kubernetes is used on a number of cloud platforms and is now maintained by the Cloud Native Computing Foundation (CNCF). Bug bounties are now commonplace in the web application, cloud, and mobile environments, but there are far fewer of them in the open source community. The main reason for this is funding, because many open source projects are either volunteer-driven or run by a small team of developers with tight budgets.
The major exception is the Internet Bug Bounty program, which is sponsored by Microsoft, Facebook, and GitHub, among others. That program offers bounties for several software projects that are integral to the security of the Internet, including OpenSSL, Apache httpd, Perl, Nginx, and Ruby. The Internet Bug Bounty is managed by HackerOne, as is the new Kubernetes program.
“What’s exciting is that this is rare: a bug bounty for an open-source infrastructure tool. Some open-source bug bounty programs exist, such as the Internet Bug Bounty, this mostly covers core components that are consistently deployed across environments; but most bug bounties are still for hosted web apps. In fact, with more than 100 certified distributions of Kubernetes, the bug bounty program needs to apply to the Kubernetes code that powers all of them,” Kaczorowski and Allclair said.