The Kubernetes bug bounty program was announced today, after months of running in a ‘beta’ mode with invite-only researchers. The goal of the program is to secure one of the most widely used open source technologies through the support of the developer and hacker communities.
We often say open source is the backbone of the internet. Therefore securing open source projects and ecosystems is essential to internet health. Kubernetes is no different. The open source container-orchestration system was originally built by Google for automating application deployment, scaling, and management. The culmination of 15 years of development experience, Google open-sourced the Kubernetes project in 2014. It is now maintained by the Cloud Native Computing Foundation (CNCF), whose community of volunteers will manage vulnerability processing and resolutions related to the bug bounty program.
“As part of HackerOne’s mission to make the internet safer, we want to make it easier for open source projects to remain secure. That’s why we’re thrilled the Kubernetes Product Security Committee chose HackerOne to partner with Google and CNCF to help defend their users and secure the source.” — Reed Loden, Director of Security, HackerOne
Google’s commitment to Kubernetes didn’t end in 2014. In fact, the company has been involved in the bug bounty from day one: proposing the program, defining initial scope, and testing the new process.
“Kubernetes already has a robust security team and response process, further cemented by the recent Kubernetes security audit. We have a stronger and more secure open-source project than we’ve ever had before. By launching a bug bounty program, we’re putting our money where our mouth is - and most importantly, rewarding the researchers already doing this important work. We hope to attract additional security researchers to get more eyes on the code, shakeout security bugs, and back up our work on Kubernetes security with financial support.” - Maya Kaczorowski, Product Manager for container security, Google Cloud
Kubernetes is a large growing community of volunteers, users, and vendors. The Kubernetes community has adopted an industry-leading security disclosures and response policy to ensure critical issues are handled responsibly. The Kubernetes bug bounty program is yet another layer of security assurance that will reward researchers who find vulnerabilities in the container orchestration system. Bounties will range from $100 to $10,000.
“Just as many organizations support open source by hiring developers, paying bug bounties directly supports security researchers. This bug bounty program is a critical step for Kubernetes to build up its community of security researchers and reward their critical work.” - Tim Allclair, Software Engineer, Google Cloud, on behalf of the Kubernetes Product Security Committee
To learn more about the Kubernetes bug bounty program or to report a vulnerability, visit https://hackerone.com/kubernetes.