Cloud Native Computing Foundation (CNCF) announced the launch vulnerability reward programs at the popular Kubernetes orchestrator, hosted on the HackerOne platform.
The Bug bounty program was in a closed beta for several months, and almost two years have passed since the first announcement. Now the program is finally open to all security researchers.
The developers promise to respond to the submitted vulnerability reports within one business day, sort the vulnerabilities within 10 days, and pay rewards within 10 days after that.
The amount of rewards varies from 100 to 10,000 US dollars. The largest payments await those who are able to detect vulnerabilities, for example, affecting the core of Kubernetes, shortcomings that can be used to make changes to the source code.
The program extends to the main Kubernetes code, stored on github, as well as problems associated with continuous integration, releases and artifacts in the documentation. In particular, developers are interested in security holes that could lead to cluster attacks (including privilege escalation, authentication bugs, and remote code execution in a kubelet’s or API server).