Kubernetes has recently announced a much-needed step in the light of its popularity and the growing userbase. Reportedly, Kubernetes has launched a bug bounty program for all bug hunters willing to help secure Kubernetes.
Kubernetes Bug Bounty Program
Recently, Kubernetes has announced the launch of a dedicated bug bounty program. This step will supposedly help the owners to secure one of the most widely used technology.
Though, the Google-built open-source container-orchestration system is already looked after by a vigilant security team. Nonetheless, the specific reward program for the entire researchers’ community will further assist in making the open-source platform even safer.
According to Maya Kaczorowski, Product Manager for container security, Google Cloud,
Kubernetes already has a robust security team and response process, further cemented by the recent Kubernetes security audit. We have a stronger and more secure open-source project than we’ve ever had before. By launching a bug bounty program, we’re putting our money where our mouth is – and most importantly, rewarding the researchers already doing this important work. We hope to attract additional security researchers to get more eyes on the code, shakeout security bugs, and back up our work on Kubernetes security with financial support.
$100 to $10,000 Bounties
With the new bug bounty program, Kubernetes has announced rewards ranging from $100 to $10,000 for reporting various bounties. These bounties cover bugs in three tiers.
Tier 1 covers bugs impacting “Core Kubernetes” awarding $10,000, $5000, $1000, and $200 for critical, high, medium, and low severity bugs respectively.
The Tier 2 includes bug affecting non-core GA components. It offers $5000, $2500, $500, and $100 bounties for critical, high, medium, and low severity bugs.
Whereas, Tier 3 includes flaws in Kubernetes infrastructure and alpha features of core Kubernetes. The bounties in tier include $2500, $1250, $250, and $100 for critical, high, medium, and low severity vulnerabilities, respectively.
Detailed information regarding the eligibility criteria under their bounty program is available on the Kubernetes bounty page. For all bugs that do not fall under the scope of the bounty program, the researchers can inform Kubernetes about them via their private vulnerability disclosure option.
Let us know your thoughts in the comments.