Announcing the Kubernetes bug bounty program

Tuesday, January 14, 2020

Authors: Maya Kaczorowski and Tim Allclair, Google, on behalf of the

Setting up a new bug bounty program

We aimed to set up this bug bounty program as transparently as possible, with an initial proposal,

What’s exciting is that this is rare: a bug bounty for an open-source infrastructure tool. Some open-source bug bounty programs exist, such as the

What’s in scope

The bug bounty scope covers code from the main Kubernetes organizations on GitHub, as well as continuous integration, release, and documentation artifacts. Basically, most content you’d think of as ‘core’ Kubernetes, included at

Notably out of scope is the community management tooling, e.g., the Kubernetes mailing lists or Slack channel. Container escapes, attacks on the Linux kernel, or other dependencies, such as etcd, are also out of scope and should be reported to the appropriate party. We would still appreciate that any Kubernetes vulnerability, even if not in scope for the bug bounty, be .

How Kubernetes handles vulnerabilities and disclosures

Kubernetes’

With our bug bounty program, initial triage and initial assessment are handled by the bug bounty provider, in this case, HackerOne, enabling us better scale our limited Kubernetes security experts to handle only valid reports. Nothing else in this process is changing - the Product Security Committee will continue to develop fixes, build private patches, and coordinate special security releases. New releases with security patches will be announced at

If you want to report a bug, you don’t need to use the bug bounty - you can still follow the security@kubernetes.io.

Get started

Just as many organizations support open source by hiring developers, paying bug bounties directly supports security researchers. This bug bounty is a critical step for Kubernetes to build up its community of security researchers and reward their hard work.

If you’re a security researcher, and new to Kubernetes, check out these resources to learn more and get started bug hunting:

Hardening guides
- Kubernetes.io: https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/
Frameworks
- CIS benchmarks: https://www.cisecurity.org/benchmark/kubernetes/
- NIST 800-190:

Talks

The Devil in the Details: Kubernetes’ First Security Assessment (KubeCon NA 2019): https://www.youtube.com/watch?v=vknE5XEa_Do

Crafty Requests: Deep Dive into Kubernetes CVE-2018-1002105 (KubeCon EU 2019): https://www.youtube.com/watch?v=VjSJqc13PNk

A Hacker’s Guide to Kubernetes and the Cloud (KubeCon EU 2018): https://www.youtube.com/watch?v=dxKpCO2dAy8

Shipping in pirate-infested waters (KubeCon NA 2017): https://www.youtube.com/watch?v=ohTq0no0ZVU

Hacking and Hardening Kubernetes clusters by example (KubeCon NA 2017): https://www.youtube.com/watch?v=vTgQLzeBfRU

If you find something, please report a security bug to the Kubernetes bug bounty at

←Previous