The Cloud Native Computing Foundation today announced the creation of a new bug bounty program for the open-source Kubernetes container orchestration tool.

The goal of the program is to secure what is one of the most widely used open-source technologies in the enterprise today. Software containers are used to host modern applications that can run on any kind of computing infrastructure, and Kubernetes has emerged as the most popular tool for managing them.

The program is meant to encourage security researchers to report any vulnerabilities they find in Kubernetes’ code by offering them financial incentives to do so.

The CNCF said HackerOne has been selected to run the bug bounty program. Any bugs that are discovered will first be assessed by HackerOne’s experts. Those deemed to be “valid” will then be reported to the Kubernetes Product Security Committee, which includes engineers from Google’s Kubernetes Engineer security team and is responsible for issuing security patches.

The program has a pretty wide scope. Kubernetes is notably much bigger than most other open-source technologies, with more than 100 certified distributions of the software being offered by various companies. So the bug bounty is chiefly focused on vulnerabilities discovered in the common codebase published on GitHub, on which all of those distributions are based.

“Basically, most content you’d think of as ‘core’ Kubernetes is in scope,” Google engineers Maya Kaczorowski and Tim Allclair, who sit on the Kubernetes Product Security Committee, wrote in a blog post.

“We’re particularly interested in cluster attacks, such as privilege escalations, authentication bugs, and remote code execution in the kubelet or API server,” they said. “Any information leak about a workload, or unexpected permission changes is also of interest. Stepping back from the cluster admin’s view of the world, you’re also encouraged to look at the Kubernetes supply chain, including the build and release processes, which would allow any unauthorized access to commits, or the ability to publish unauthorized artifacts.”

The bug bounty program is an important step for Kubernetes, Constellation Research Inc. analyst Holger Mueller told SiliconANGLE, explaining that with more eyes on the case, more bugs will be found.

“If a bug bounty program uncovers serious vulnerabilities in Kubernetes, them the $10,000 reward is actually a small amount to pay,” Mueller said. “If it motivates more people to check the code, it’s a win for the community, for Kubernetes and most importantly for enterprises that use Kubernetes to power their next-generational applications.”

The Kubernetes bug bounty program is accepting submissions now, with rewards ranging from $100 all the way up to $10,000 for the most serious vulnerabilities.

Photo: mohamed_hassan/Pixabay