bluebay2014 - Fotolia
Kubernetes security gets an assist with bug bounty program
The Kubernetes Security Product Group will outsource bug triage to HackerOne under a new bug bounty program that will offer rewards for bug reports up to $10,000.
The Cloud Native Computing Foundation wants to entice a broader community of independent researchers to work on Kubernetes security with a bug bounty program launched this week.
The program, which will see bug bounty vendor HackerOne take over Kubernetes security bug triage and verification from the Kubernetes Security Product Group, will offer rewards for independent security researchers of between $100 and $10,000.
The idea of a bug bounty program to boost Kubernetes security has been in discussions within the open source community since 2018, and last year a community RFP process selected HackerOne over Bugcrowd to administer the program. The Cloud Native Computing Foundation (CNCF) also conducted a public Kubernetes security audit last year.
Bug bounty programs, while widely used, vary in effectiveness, but IT pros that work with Kubernetes approved of the program rollout this week.
"Incentivizing the crowd to help identify and provide reproducible issues has benefits for any open source software project," said Chris Riley, DevOps delivery director at Cprime Inc., an Agile software development consulting firm in San Mateo, Calif. "The Kubernetes Security Product Group then has a pipeline of reported issues that are ready to reproduce, and they can focus on the resolution."
CNCF seeks broader Kubernetes security community
That was the major impetus for the decision to enlist HackerOne and launch the bug bounty program, according to Kubernetes Security Product Group members. The program is open to Kubernetes developers, but as Kubernetes matures and is more widely used, the community must expand beyond its core developer base to find security issues.
"The hope is that the bug bounty program will help us attract more of the security-focused research community, and help us draw attention to parts of the product that don't get as much attention from regular developers," said Tim Allclair, staff software engineer at Google and chair of the SIG-Auth group that oversees Kubernetes security.
Chris RileyDevOps delivery director, Cprime Inc.
For example, the open source supply chain for Kubernetes could use further security evaluation, Allclair said.
"We want to make sure that all code that's contributed is properly vetted," he said. The response to the bug bounty program, and any Kubernetes security issues it brings to light, will steer the activities of the Kubernetes Security Product Group in 2020.
CNCF declined to comment on the size of overall funding for the Kubernetes bug bounty program. Rewards of up to $10,000 are in line with other open source bug bounty programs, such as the Internet Bug Bounty.
The CNCF chose HackerOne over BugCrowd in January 2019, according to community documents, because of tight integration with GitHub and simple vulnerability report disclosure and automated response workflows. The RFP process and establishment of the bug bounty program came in the wake of a critical vulnerability in the container orchestration software disclosed in December 2018.
Kubernetes misconfiguration still the biggest threat
While the bug bounty program won't hurt, IT security analysts say it might not have a huge effect on Kubernetes security in general.
"Bug bounty programs don't replace things like the public security audit for Kubernetes and getting paid isn't a primary motivator for a lot of security researchers," said Daniel Kennedy, analyst at 451 Research.
Instead, security researchers are attracted to bug bounties because they offer a systematic process to report bugs and receive fixes in a specific timeframe -- something the Kubernetes Security Product Group already did. "It's noteworthy, and seems to have been applied properly, but I don't know that they'll get a huge pop out of it," Kennedy added.
Moreover, most Kubernetes security issues have little to do with vulnerabilities in the core platform.
"Usually, bad actors go after users that have misconfigured their systems, rather than the platforms themselves," Kennedy said.