The Cloud Native Computing Foundation (CNCF) today announced it is funding a bug bounty program for Kubernetes. Security researchers who find security vulnerabilities in Kubernetes’ codebase, as well as the build and release processes, will be rewarded with bounties ranging from $100 to $10,000.
Bug bounty programs motivate individuals and hacker groups to not only find flaws but disclose them properly, instead of using them maliciously or selling them to parties that will. Originally designed by Google and now run by the CNCF, Kubernetes is an open source container orchestration system for automating application deployment, scaling, and management. Given the hundreds of startups and enterprises that use Kubernetes in their tech stacks, it’s significantly cheaper to proactively plug security holes than to deal with the aftermath of breaches.
Although Google open-sourced Kubernetes in 2014, the company has (unsurprisingly) been involved in the bug bounty from day one. Google proposed the program, completed vendor evaluations, defined its initial scope, tested the new process, and onboarded bug bounty program vendor HackerOne. The CNCF started discussing the idea of an official bug bounty program in early 2018. The goal is to drive awareness of Kubernetes’ security model and reward ongoing efforts in the community to secure Kubernetes. In August 2019, the CNCF formed the Security Audit Working Group and conducted Kubernetes’ first security audit, which helped identify general weaknesses to critical vulnerabilities. The Kubernetes Bug Bounty was in private testing for several months with invited researchers able to submit bugs and test the triage process. It’s now open to all security researchers.
A bug bounty for an open source infrastructure tool is rare. Given that there are more than 100 certified distributions of Kubernetes, the bug bounty program needs to apply to the Kubernetes code that powers all of them. HackerOne had its team pass the Certified Kubernetes Administrator exam to help members understand how to test the validity of a reported bug.
The bug bounty scope covers code from the main Kubernetes organizations on GitHub, as well as continuous integration, release, and documentation artifacts. The CNCF is particularly interested in cluster attacks, such as privilege escalations, authentication bugs, and remote code execution in the kubelet or API server. The same goes for any information leak about a workload, or unexpected permission changes. Security researchers are also encouraged to look at the Kubernetes supply chain, including the build and release processes, which would allow any unauthorized access to commits, or the ability to publish unauthorized artifacts.
The community management tooling (the Kubernetes mailing lists and Slack channel) as well as container escapes, attacks on the Linux kernel, or other dependencies are out of scope. Out of scope Kubernetes vulnerabilities should be disclosed privately to the Kubernetes Product Security Committee, a group of security-focused maintainers who receive and respond to reports of security issues in Kubernetes. Whether they receive initial triage and assessment from HackerOne or do it themselves for out of scope issues, these maintainers will assess impact and generate and roll out a fix.
The bug bounties are broken into three tiers. The first tier is Core Kubernetes:
- GA & Beta features of core Kubernetes (e.g. k8s.io/kubernetes & staging) or Kubernetes-owned core dependencies (e.g. k8s.io/klog), as well as core addons (kube-proxy).
- The ability to alter source code without OWNER approval, or modify release artifacts.
- DoS attacks on release artifacts, including k8s.gcr.io or dl.k8s.io.
Rewards depend on the severity of the security hole: Critical ($10,000), High ($5,000), Medium ($1,000), and Low ($200).
The second tier is for GA and Beta features of non-core GA components (e.g. CSI drivers, k8s.io/dashboard, kube-adm). Rewards in this tier are all lower: Critical ($5,000), High ($2,500), Medium ($500), and Low ($100).
The third tier is for Kubernetes infrastructure (e.g. k8s.io, prow, documentation) and alpha features of core Kubernetes. The exception for the former is that a Kubernetes infrastructure compromise leading to code/artifact modification falls under the first tier. Rewards in this tier are even lower: Critical ($2,500), High ($1,250), Medium ($250), and Low ($100).