We are happy to announce that the Cloud Native Computing Foundation (CNCF) is funding a new Kubernetes bug bounty program to reward researchers who find security vulnerabilities in Kubernetes’ codebase, as well as build and release processes. The program is being launched by the Kubernetes Product Security Committee, a group of security-focused maintainers who receive and respond to reports of security issues in Kubernetes, in concert with bug bounty program vendor, HackerOne. After having won the community-led RFP, HackerOne had their team pass the Certified Kubernetes Administrator (CKA) exam as part of the bootstrapping process.
As a CNCF graduated project, it is imperative that Kubernetes adhere to the highest levels of security best practices. Back in August 2019, CNCF formed the Security Audit Working Group and conducted Kubernetes’ first security audit, which helped the community identify issues from general weaknesses to critical vulnerabilities, enabling them to address these vulnerabilities and add documentation to help users.
To continue to drive awareness of Kubernetes’ security model and reward ongoing efforts in the community to secure Kubernetes, discussions began at the beginning of 2018 to launch an official bug bounty program. After several months of private testing, the Kubernetes Bug Bounty is now open to all security researchers.
For information on the scope of the program and how to get involved, check out the Kubernetes.io blog.