Security News > 2020 > January > Kubernetes bug bounty program open to anyone, rewards up to $10,000

The Cloud Native Computing Foundation is inviting bug hunters to search for and report vulnerabilities affecting Kubernetes.

Kubernetes is an open-source container-orchestration system for automating application deployment, scaling, and management.

Initially open just to invited researchers, the bug bounty program has now been opened to all who want to try their hand at discovering vulnerabilities in the 82 assets in scope, which span core Kubernetes and add-ons, Kubernetes-owned core dependencies, non-core components, and the Kubernetes infrastructure, including the main website and the Kubernetes build and test infrastructure.

"We're particularly interested in cluster attacks, such as privilege escalations, authentication bugs, and remote code execution in the kubelet or API server. Any information leak about a workload, or unexpected permission changes is also of interest. Stepping back from the cluster admin's view of the world, you're also encouraged to look at the Kubernetes supply chain, including the build and release processes, which would allow any unauthorized access to commits, or the ability to publish unauthorized artifacts."

Kaczorowski also pointed out that this program is a bit different from standard bug bounties, as there isn't a 'live' environment for bug hunters to test.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/ZjINqCpoYEs/