Kubernetes, Starting a Bug Bounty Program

Kubernetes, container cluster build and management tools, is starting a bug bounty program. The reward will be between $200 and $10,000. As Kubernetes is getting more widespread, they want to ensure its security by encouraging security experts to find bugs.

Kubernetes Product Security Committee announced it on January 14. It is a committee comprised of maintainers whose focus is on security, and they receive and respond to reports regarding security issues.

Bug bounty program was initially proposed in February 2018. After the selection of bug bounty program HackerOne, their feedback together with Kubernetes security audit were reflected in building the system. It has been in a private beta for several months, and now it is announced to welcome general security researchers to join. This program is funded by Cloud Native Computing Foundation (CNCF), a Linux Foundation which Kubernetes is affiliated with.

HackerOne will conduct the first triage and evaluation of the reported bugs. This program will help Kubernetes Product Security Committee work only on issues with validity. The process after that is the same as usual, as they will develop patches for the bugs, and coordinate security releases.

According to the project, there are over 100 certified distributions of Kubernetes, and this bug bounty program will apply to all the code released in Kunernetes Organization on GitHub, which powers the certified distributions. Note that community management tools, mailing list, Slack channel, or attacks on Linux kernels and other dependencies are not included in the scope.

For details regarding Kubernetes bug bounty program, visit the page dedicated to HackerOne or Kubernetes security page on GitHub,

Kubernetes page on HackeOne
https://hackerone.com/kubernetes

Kubernetes security page on GitHub
https://github.com/kubernetes/security/blob/master/security-release-process.md