Kubernetes officially announced that the Kubernetes Product Security Committee is launching a new vulnerability bounty program funded by the CNCF to reward researchers who find security vulnerabilities in Kubernetes.
According to the CNCF, Kubernetes must adhere to the highest level of security. As early as August 2019, CNCF established a security audit working group and conducted Kubernetes’ first security audit. This audit helped the community identify issues ranging from general weaknesses to critical vulnerabilities, enabling them to address these vulnerabilities and add documentation to help the user.
Since the beginning of 2018, CNCF is planning to launch a vulnerability bounty program. Now, after months of private testing, Kubernetes Bug Bounty is open to all security researchers. The bug bounty program is operated by the security company HackerOne.
What is the scope
The bug bounty covers the main Kubernetes code stored on GitHub. Kubernetes says they are also particularly interested in cluster attacks, such as privilege escalation, authentication errors, and remote code execution in kubelet or API servers.
Community management tools (such as Kubernetes mailing lists or Slack channels) are out of scope. Container escapes, attacks on the Linux kernel or other dependencies (such as etcd) are also out of scope and should be reported to their security team.
Rewards for security vulnerabilities found in core Kubernetes programs can range from $ 200 for low-priority issues to $ 10,000 for critical issues. More details on how the bounty program works can be found on HackerOne’s Kubernetes bounty page.