Kubernetes / Security

CNCF Bug Bounty Program Shines a Light on the Darker Corners of Kubernetes

14 Jan 2020 10:51am, by

After several months in beta testing with selected security researchers, the Kubernetes bug bounty program launched Tuesday. It is a joint effort of the Cloud Native Computing Foundation (CNCF), Google, HackerOne and the Kubernetes Product Security Committee. Google first proposed the program and defined the initial proposal in early 2018, with HackerOne winning a community-led request for proposal (RFP) and CNCF providing the funding. Bounties will range from $100 to $10,000 depending on the severity, and HackerOne will handle the initial triage and assessment of newly submitted bugs.

In its blog post on the launch, the security committee pointed out the rarity of a bug bounty for an open-source infrastructure tool, noting that most such programs are for “components that are consistently deployed across environments” and web-based apps. Kubernetes provides a much different challenge, with the bounty program’s scope including code from the main Kubernetes organizations on GitHub, as well as continuous integration, release, and documentation artifacts — “basically, most content you’d think of as ‘core’ Kubernetes,” they write.

In an interview with The New Stack, Maya Kaczorowski, product manager at Google, described just how much Kubernetes differs from these other tools:

This bug bounty is different from other ones because there isn’t a single live environment for researchers to test, which is pretty common for bug bounty programs. Since Kubernetes can be configured in so many different ways, we’re looking for bugs that could affect any of those environments. That makes it harder to validate bugs because they’re going to have to be tested on an environment-to-environment basis to replicate what a security researcher used. With over a hundred certified distributions of Kubernetes, this bug of any program has to apply to all of them. That gives us a huge scope.

While community tooling such as mailing lists and the Slack channel are not included in the scope, the committee says that it is “particularly interested in cluster attacks” as well as information leaks, unexpected privilege changes, and the Kubernetes supply chain. This is where Kubernetes Product Security Committee member Tim Allclair said he saw some unexpected success during the several months of beta testing. While Allclair said that it was helpful for the committee to learn the HackerOne tools and test out the triage process, more importantly, he saw that the program would shine a light on some less scrutinized areas of Kubernetes.

“We did find some issues in the supply chain, which is one of the areas that I’m really excited to see this program succeed,” said Allclair. “A lot of our past reports have been submitted mostly focusing on the code that is running as part of Kubernetes. I’m excited to see a little more attention paid to all of the infrastructure that supports Kubernetes.”

Bug Bounties for Infra Tech

The bug bounty is the first one put in place by the CNCF for one of its projects and CNCF Chief Operating Officer Chris Aniszczyk said it would be something they would have to treat on a case-by-case basis for other CNCF projects.

“Not all projects are at the scale or scope of Kubernetes that they may need a bug bounty program. It is a cost to the foundation to run these things, so we’d probably favor our graduated projects over the other smaller ones we have in the ecosystem,” Aniszczyk told The New Stack. “When we started rolling out security audits for CNCF, we beta tested it and piloted it out for a few projects. We’ll probably do the same thing for the bug bounty program down the line.”

And just in case you might think the program was for security researchers alone, Allclair made sure to clarify that it was open to all who were interested.

“We talk a lot about security researchers and we use that term in the blog posts as well, but a lot of our past security issues have been reported by developers who are building a feature in Kubernetes and notice something that looks not quite right. They report it to us through the email disclosure process that we had before. Those developers are welcome to join the program as well and submit their bugs for bounty. You don’t need to be an existing, established security researcher to claim a bounty for a bug that you found,” he said.

Allclair was also sure to note, however, that the security committee was leaving the email disclosure process open, for those who don’t want to sign up for the HackerOne bug bounty program.

The Cloud Native Computing Foundation is a sponsor of The New Stack.

Feature image via Pixabay.