Kubernetes security gets a boost with new bug bounty programme

The Cloud Native Computing Foundation is funding a new Kubernetes bug bounty programme to reward researchers who find security vulnerabilities in Kubernetes’ codebase as well as build and release processes.

San Francisco, California-based CNCF is an open-source software foundation that hosts projects like Kubernetes and Prometheus.

The Kubernetes Product Security Committee, a group of security-focused maintainers who receive and respond to reports of security issues in Kubernetes, has rolled out the programme. The group is collaborating with bug bounty program vendor, HackerOne. The bounties range from $100 to $10,000. 

“With our bug bounty program, initial triage and initial assessment are handled by the bug bounty provider, HackerOne, enabling us better scale our limited Kubernetes security experts to handle only valid reports. Nothing else in this process is changing - the Product Security Committee will continue to develop fixes, build private patches, and coordinate special security releases,” the committee said in a blog post.

The group is particularly interested in cluster attacks, such as privilege escalations, authentication bugs, and remote code execution in the kubelet or API (application programming interface) server.

However, any information leak about a workload, or unexpected permission changes is also of interest. 

Kubernetes is an open source system used by DevOps to manage Linux containers across private, public and hybrid clouds environments. 

As enterprises move to cloud, Kubernetes has become an integral part of the digital infrastructure. All major technology companies such as IBM, Microsoft and VMware are working on Kubernetes related services. 

Mindtree in September 2019, rolled out InnoApp for Kubernetes for faster deployment of cloud applications on Microsoft Azure. The new service will help enterprises deploy containerised cloud applications on Microsoft Azure.