- On Tuesday, the open source cloud project Kubernetes — which was first started at Google and is now — used by over half the Fortune 500, launched a bug bounty program to pay developers for finding flaws in the project.
- It’s an unusual move: While bug bounty programs are used by private companies like Uber and Nintendo to help incentivize so-called white-hat hackers to find potential problems before the bad guys do, it’s not common to hear about a similar initiative for an open source project.
- The Cloud Native Computing Foundation, to whom Google donated the project, will pay the bounties, while startup HackerOne will be used to report and prioritize bugs.
- The Kubernetes security committee hopes to build up a larger security research community for the project, which is vital given how widely it’s being used.
- Click here to read more BI Prime stories.
Developers who hunt for and successfully discover bugs in the popular open source cloud project Kubernetes can now get paid for it.
That’s because on Tuesday, the Kubernetes product security committee announced a new bug bounty program, which rewards people for finding bugs in the project. Since Kubernetes launched in 2014, it has become wildly popular, and is used by the three major cloud providers and more than half of the Fortune 500.
Companies like VMware and Red Hat are also betting on it as a major part of their strategy. There’s even a conference, KubeCon, dedicated to Kubernetes, which attracted some 12,000 developers when it was held in 2019.
In this bug bounty program, the Cloud Native Computing Foundation (CNCF) will pay for rewards that range from $100 to $10,000, while the security committee will use the bug bounty platform HackerOne, itself a hot cybersecurity startup, to help prioritize what bugs to fix. By starting this program, the committee also hopes to build up a community of security researchers around Kubernetes.
While bug bounty programs are frequently used by companies like Starbucks, Uber, Atlassian, and Tesla, open source projects may start these programs as well. For example, the software projects PHP, OpenSSL, and NGINX also have bug bounty programs. Still, it’s not an initiative typically associated with open source projects.
“It is fairly rare in that regard,” Google product manager Maya Kaczorowski told Business Insider. “It’s not as common. There are not as many researchers who are used to reporting bounties, but we want to track them and support them in the work they’re doing, just like you can support open source developers by hiring developers to work on this code.”
In so doing, however, the company hopes to attract top talent to making Kubernetes safer — which is vital, given how widely it’s now being used.
“With the launch of the bug bounty program, we’re hoping to attract a wider security researcher community, get more eyes on the product and make the product more secure that way,” Google staff software Tim Allclair, who is a member of the Kubernetes security committee, told Business Insider.
‘More attention and more eyes’
Kubernetes was first started by a group of Google engineers, but it’s since been donated to CNCF to guide and oversee. That being said, Google is still heavily involved in contributing to the Kubernetes project through both code contributions and monetary support.
“Kubernetes already has a robust security team and process for taking security seriously,” Kaczorowski said. “We’re reinforcing that…If someone gets hacked running Kubernetes on another cloud provider, that affects us because it affects the reputation of Google.”
The bug bounty program for Kubernetes was first proposed in early 2018. The Kubernetes project already has a process in place for receiving and handling vulnerability reports, but now, these reports will come in through HackerOne and the security committee will decide how to award bounties for them. The committee also expects to receive a higher volume of reports.
“I’m excited to get more attention and eyes on the product,” Allclair said. “Hopefully more vulnerabilities get reported or get reported earlier.”