The Cloud Native Computing Foundation (CNCF) has announced the creation of a new bug bounty program for Kubernetes. The goal of the program is to better secure the widely used open-source technology.
Bug bounty means that IT people who discover bugs receive financial compensation, which should encourage more people to detect bugs. As Kubernetes is now the most popular tool for container orchestration, there will also be more and more security problems.
The CNCF says that HackerOne has been selected to run the bug bounty program. Any bugs that are discovered will, therefore, first be evaluated by experts at HackerOne. These bugs are then passed on to the Kubernetes Product Security Committee, which consists of engineers from Google’s Kubernetes Engineer security team. That team is ultimately responsible for rolling out patches.
“Basically, most content you’d think of as ‘core’ Kubernetes is in scope,” Google engineers Maya Kaczorowski and Tim Allclair, of the Kubernetes Product Security Committee, stated.
“We’re particularly interested in cluster attacks, such as privilege escalations, authentication bugs, and remote code execution in the kubelet or API server,” they said. “Any information leak about a workload, or unexpected permission changes is also of interest. Stepping back from the cluster admin’s view of the world, you’re also encouraged to look at the Kubernetes supply chain, including the build and release processes, which would allow any unauthorized access to commits, or the ability to publish unauthorized artifacts.”