A public bug-bounty program for the Kubernetes container technology framework has just launched, backed by Google, HackerOne and the Cloud Native Computing Foundation (CNCF).
The Kubernetes container-orchestration system was originally built by Google for automating application deployment, scaling and management in the cloud. The culmination of 15 years of development experience, Google open-sourced the Kubernetes project in 2014. It is now maintained by the CNCF, whose community of volunteers will manage vulnerability processing and resolutions related to the bug-bounty program.
Bounties will range from $100 to $10,000. The programâs scope covers code from the main Kubernetes organizations on GitHub (Kubernetes has more than 100 certified distributions), as well as âcontinuous integration, release and documentation artifacts,â according to a Kubernetes security team post on Tuesday.
âBasically, most content youâd think of as âcoreâ KubernetesâŠis in scope,â according to the post.
The programâs debut marks the release of one of the first bounty programs for underlying cloud infrastructure. âSome open-source bug bounty programs exist, such as the Internet Bug Bounty, this mostly covers core components that are consistently deployed across environments; but most bug bounties are still for hosted web apps,â according to the Kubernetes post.
The Kubernetes security team said it is particularly interested in cluster attacks, such as privilege escalations, authentication bugs and remote code execution in the kubelet or API server.
âAny information leak about a workload, or unexpected permission changes is also of interest,â they wrote. âStepping back from the cluster adminâs view of the world, youâre also encouraged to look at the Kubernetes supply chain, including the build-and-release processes, which would allow any unauthorized access to commits, or the ability to publish unauthorized artifacts.â
The projectâs community management tools, such as the Kubernetes mailing lists or Slack channel, are out-of-scope, as are container escapes, attacks on the Linux kernel or other issues arising from dependencies â these should be reported to the appropriate party instead.
Google also plans to be intimately involved in the program, which has been running in beta mode with invite-only researchers up until now.
âKubernetes already has a robust security team and response process, further cemented by the recent Kubernetes security audit,â according to a statement by Maya Kaczorowski, product manager for container security at Google Cloud, which first proposed the bug-bounty program.
âWe have a stronger and more secure open-source project than weâve ever had before. By launching a bug-bounty program, weâre putting our money where our mouth is â and most importantly, rewarding the researchers already doing this important work. We hope to attract additional security researchers to get more eyes on the code, shakeout security bugs, and back up our work on Kubernetes security with financial support,â Kaczorowski said.
Cloud security is coming more and more in to focus as companies look to achieve high-velocity operations and take advantage of the efficiencies that digital transformation can bring.
âThe cloud allows companies to move quickly and be more agile so they can provide benefits to customers more quickly,â Reed Loden, director of security at HackerOne, told Threatpost. âWith the standardization cloud technology delivers to companies across the globe comes similar problems across websites hosted on the same cloud provider. This both makes it easier for attackers to exploit multiple websites and simplifies the process for defenders to learn and improve at a faster clip as they unearth common issues.â
However, with uniformity comes documentation, âallowing friendly hackers and companies to learn from each other to avoid the common mistakes,â he added. âWhen companies and researchers work together they can better improve defenses and build a safer internet.â
Kubernetes has had its share of vulnerabilities. Last October for instance a pair of bugs, CVE-2019-16276 and CVE-2019-11253, were found that could allow an attacker to trivially bypass authentication controls to access a container. And earlier, a critical privilege-escalation vulnerability (CVE-2018-1002105) was uncovered that could allow an attacker unfettered, remote access for stealing data or crashing production applications.
âMoving servers from on-premise to the cloud comes with substantial benefits and risks â good and bad,â Loden told Threatpost. âYou can build software right using cloud or you can build it wrong using cloud, just like anything else.â
Concerned about mobile security?Check out our free Threatpost webinar, Top 8 Best Practices for Mobile App Security__, on Jan. 22 at 2 p.m. ET.Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at a time. Click here to register.
attendee.gotowebinar.com/register/7679724086205178371?source=art
attendee.gotowebinar.com/register/7679724086205178371?source=art
github.com/kubernetes
github.com/kubernetes/community/blob/master/wg-security-audit/findings/Kubernetes%20Final%20Report.pdf
hackerone.com/kubernetes
threatpost.com/kubernetes-bugs-authentication-bypass-dos/149265/
threatpost.com/kubernetes-flaw-is-a-huge-deal-lays-open-cloud-deployments/139636/
threatpost.com/newsletter-sign/