►
From YouTube: The Kubernetes Bug Bounty Program - What Researchers & Users Need to Know- Taahir Ahmed & Reed Loden
Description
Don’t miss out! Join us at our upcoming events: EnvoyCon Virtual on October 15 and KubeCon + CloudNativeCon North America 2020 Virtual from November 17-20. Learn more at https://kubecon.io. The conferences feature presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
The Kubernetes Bug Bounty Program - What Researchers and Users Need to Know - Taahir Ahmed, Google & Reed Loden, HackerOne
In January, Kubernetes launched a bug bounty program (BBP), creating a centralized way for security researchers to report vulnerabilities they find in products in exchange for monetary rewards. Just as many organizations support open source by hiring developers, paying bug bounties directly supports security researchers. The Kubernetes BBP is particularly interesting as it’s still rare for a large scale, open-source infrastructure project to have a public BBP. In this talk, we’ll cover what a BBP is and what it means for Kubernetes. We’ll cover vendor selection for the bug bounty, defining the scope and rewards, learnings from the private beta, and what you need to know as a researcher and user today. We’ll also reiterate how the Product Security Committee responds to new vulnerabilities, so you know what’s being done to keep clusters safe.
https://sched.co/Zesx
A
B
A
B
So,
first
of
all,
since
we're
going
to
talk
about
hackers,
let's
actually
define
the
term
hacker,
there's
a
lot
of
misconceptions
about
what
hackers
are
and
are
not.
If
we
start
a
search
to
see
what
the
public
thinks
about
hackers.
It's
not
great.
You
know
you
see
the
instant
search
results
here.
These
are
what
people
are
actually
searching
for
and
in
fact,
if
you
do
an
image
search,
it
seems
all
hackers
wear
hoodies
and
like
they
have
this
glowing
green
code
and
it's
just
matrix
behind
them.
B
They're
bent
over
their
laptop
typing,
it's
all
pretty
dramatic,
and
we
just
we
definitely
know
that
this
is
just
not
the
case.
So
what
is
a
hacker
you
know?
Often
the
word
has
negative
connotations,
but
at
hacker
one
we
believe
in
hacking
for
good.
There
are
many
other
names
for
hackers,
think
of
security
researcher,
perhaps
finder,
but
simply
we
believe
that
a
hacker
can
be
defined.
As
someone
who
enjoys
the
intellectual
challenge
of
creatively,
overcoming
limitations.
B
Well,
there's
basically
kind
of
three
different
ways:
let's
start
with
the
simplest
form,
it's
called
vulnerability
coordination,
it's
a
much
more
reactive
approach
by
publishing
a
process
that
informs
people
outside
your
organization.
What
to
do
when
they,
you
know,
discover
a
potential
security
issue.
It
is
basically
saying
like
hey
if
you
find
something.
Let
us
know
the
us
department
of
defense
calls
this
the
see
something
say
something
model
of
the
digital
world
you
could
see.
B
This
is
you
know,
starting
the
process
of
you
know
welcoming
hackers
letting
out
the
welcome
mat
for
hackers.
But,
more
increasingly,
I
see
vulnerability
coordination
getting
required
for
compliance
in
certain
initiatives.
Front
runners
would
be
the
automotive
industry,
healthcare
industry
and
even
the
government
as
well.
B
A
step
up
is
hacker
powered
pin
test.
So
the
key
point
here
is
the
diverse
set
of
testers.
Every
time
you
run
one
of
these
pen
tests
you
get
a
completely
new
different
set
of
elite,
experienced
hackers,
making
sure
that
you're
reaping
the
benefits
of
many
eyes.
Obviously
this
is
a
much
more
proactive
way
of
doing
things
since
you're.
You
know
actually
taking
charge
and
doing
something,
but
it
could
be
required
as
part
of
a
compliance
or
vendor
assessment
effort.
B
You
get
your
results
almost
instantly
as
they
come
in,
as
the
reports
come
in,
there's
no
need
to
wait
for
weeks
for
a
final
report.
You
can
see
things
as
happening
and
you
can
go
actually
go
ahead
and
get
started,
fixing
things
and
finally,
on
bug,
bounty
programs,
a
bug
bounty
is
an
extension
to
both
of
the
previous
methods
you're
taking
the
next
level
here
by
actively
incentivizing
the
largest
community
of
hackers
in
the
world
to
perform
basically
continuous
security
research
on
your
products
and
services.
B
You're
offering
you
know
large
cash
rewards
for
valid
vulnerabilities.
You
know
it's
obviously
the
most
proactive
approach
and
it's
also
one
of
the
best
ways
for
your
own
engineers
to
learn
security.
There's
no
better
way
for
learning
than
getting
practical
examples
of
mistakes
that
you
and
your
teammates
have
made,
and
if
you're
doing
penetration
tests,
whether
these
be
hacker
powered
pen
tests
or
you
know,
standard
kind
of
like
consultancy,
firm
based
tests,
the
bugbending
program
can
let
you
better
tailor
those
pin
tests.
B
So
say
your
bug
money
program
is
receiving
a
bunch
of
reports
on
a
particular
area.
Well,
then,
you
could
laser
focus.
Your
pin
tests
onto
that
area
to
knock
out
an
entire
class
of
vulnerabilities
from
you
know
prevent
those
future
reports.
At
the
same
time,
if
you're
not
getting
a
lot
of
reports
in
your
program
on
an
area,
then
maybe
that's
a
case
where,
like
hey,
you
know,
the
hackers
are
not
finding
something
here.
Let's
use
our
pin
tests.
B
You
know
funds
to
like
actually
make
sure
that
there's
not
an
issue
in
this
segment,
a
separate
set
of
code,
but
it
again
allows
you
to
focus
those
pin
tests
you're
not
duplicating
things
you're
getting
value
out
of
both
of
them.
But,
more
importantly,
it's
the
cherry
on
top
of
your
software
system
development
life
cycle.
So
again,
what
we're
talking
about
today
is
a
bug
binding
program
specifically
for
kubernetes.
B
A
A
A
So
in
the
encore
rotation,
the
person
is
currently
on
call
triages
incoming
security
reports,
both
from
the
hackerone
kubernetes
bug,
browning
program
and
from
directly
to
the
security
at
kubernetes.io
mailing
list.
Valid
reports
are
handled
as
security
incidents
and
we'll
go
through
the
process
that
that
entails.
A
So
why
what
was
the
original
motivation
for
wanting
a
bug
bounty
program
for
kubernetes?
So
it
got
kicked
off
a
couple
years
ago.
At
this
point,
and
some
of
the
original
motivations
were
to
get
more
security
researcher
attention
in
general
on
the
kubernetes
code
base,
simplify
the
triage
and
response
process
for
the
people
on
the
kubernetes
product
security
committee
show
that
enterprises
are
sorry
show
that
kubernetes
is
enterprise
ready.
A
B
You
know
hacker
one
triage
workflow,
so
what
happens?
Basically,
when
a
report
comes
in
a
hacker
submits
a
report
on
hackerone.com
kubernetes.
That
report
goes
in
to
an
initial
kind
of
triage
queue.
The
hacker
one
has
a
set
of
security
analysts.
A
set
number
of
them
actually
have
kubernetes
training,
certified
training,
so
they're
familiar
with
kubernetes.
They
have
some
infrastructure
that
they
can
spin
up
to
kind
of
test
the
submitted
vulnerability.
They
will
do
what
they
can
to
validate
the
issue,
including
going
back
and
forth
with
the
hacker
to
see.
B
If
any
more
information
is
needed
and
once
they've
been
able
to
validate
the
issue,
then
they'll
go
ahead
and
assign
a
what
they
think
is.
You
know
a
severity
cwe
which
is
a
kind
of
the
vulnerability
type
that
it
is
and
do
a
short
write-up
of
what
the
issue
is
once
that's
been
done,
then
they
will
mark
it
officially
as
triage
and
they'll
also
go
ahead
and
kick
it
back
to
the
or
kick
it
over
to
the
kubernetes
park
security
committee
to
take
next
steps
that
to
here
we'll
be
talking
about.
A
Okay,
so
once
this
report
is
triaged
by
hacker
one
by
their
triage
agents,
then
the
pse
on
cloud
will
take
a
look
at
it.
They
will
probably
do
their
own
reproduction
to
try
and
understand
how
serious
the
issue
is,
and
if
it
is
determined
to
be
an
actual
issue.
What
happens
next
is
someone
on
the
psc
will
step
up
as
a
fixed
lead.
A
So
once
the
fixed
lead
is
chosen,
the
next
step
is
to
for
them
to
assemble
a
fixed
team.
Kubernetes
is
a
huge
code
base.
It's
vanishingly
unlikely
that
the
fixed
lead
is
an
expert
or
even
familiar
with
the
part
of
the
code
base.
That's
affected,
so
their
first
job
is
to
assemble
people,
who
are
experts
in
that
part
of
the
code
and
bring
them
up
to
speed
on
the
issue
and
get
them
in
agreement
on
how
to
fix
it.
A
Then,
for
the
next
chunk
of
time,
the
fixed
team
will
work
on
developing
the
fix,
so
that
might
happen
privately
in
a
private
github
repo
or
it
might
happen
semi-publicly
depending
on
the
severity
of
the
issue.
So
semi
publicly
would
be
the
commits
go
into
kubernetes
mainline,
but
they're,
not
the
commit
descriptions,
don't
say
things
like.
Oh
my
gosh,
this
is
a
giant
security
issue.
A
In
the
meantime,
the
fix
lead
is
working
on
developing
the
communications
plan
for
the
issue,
so
that
will
be
like
how
do
we
explain
this
issue
to
users
and
administrators
of
kubernetes
and
make
it
clear
what
action
they
need
to
take
after
the
communications
plan
is
put
together.
The
next
step
is
to
notify
the
distributors
list.
A
A
So
then,
the
next
step
is
once
the
fix
is
ready
to
go.
It
needs
to
be
merged
and
released.
This
can
either
for
high
security
vulnerabilities.
This
would
be
a
new
release
dedicated
just
to
that
security
issue
or
for
medium
or
low.
You
will
tend
to
catch
the
existing
release
drain
of
an
existing
patch
version.
A
Once
the
fix
is
merged
and
released,
and
there
are
new
kubernetes
builds
available.
Then
the
public
notification
goes
out.
That
says
this
is
the
issue.
This
is
what
you
need
to
do.
Come
get
this
new
release
and
do
these
things
to
fix
the
problem
that
goes
as
out
as
a
wide
blast
to
most
of
the
kubernetes
announcement
channels,
so
slack
the
kubernetes
announced
mailing
list,
and
so
on.
B
Sure
so
the
program
launched
in
january
of
this
year,
it
is
already
paid
out
almost
15
000
dollars
in
bounties,
the
top
bounty
awarded
to
an
individual
hacker
is
5
000.
So
far
there
have
been
80
plus
valid
reports
that
have
been
submitted
from
24
unique
hackers,
so
that
this,
this
is
great.
I
mean
we're
only
halfway
through
the
craziest
year
of
our
lives
and
we're
already
seeing
a
lot
of
great
reports
that
have
come
in
so
everyday
to
here.
For
the
next.
A
Yeah,
so
there
have
been
lots
of
great
vulnerabilities
well
great
or
not
interesting,
vulnerabilities
coming
in
through
the
program.
In
fact,
the
rate
of
reports
has
ticked
up
since
launching
the
bug
banning
program.
Some
of
that
may
be
due
to
people
who
we
had
pre-announced
the
bug
banning
program,
and
so
it's
possible
that
people
were
sitting
on
their
vulnerabilities
until
the
bug
binding
program
was
open,
but
hopefully
it's
also
reflective
of
a
wider
coverage.
A
A
A
A
A
Don't
worry
if
you
don't
know
specifically
specific
values
are
the
correct
value
for
some
of
these
things,
both
the
hacker
one
triage
team
and
the
pse
on-call
will
be
more
than
happy
to
help
you
dial
in
the
appropriate
values.
For
these
what's
important
is,
if
you
think,
there's
an
issue
make
sure
it
gets
reported
and
then
now
to
talk
about
the
actual
reward
structure
I'll
hand
it
back
to
read.
B
Yes,
so
we've
the
kubernetes
product
security
committee
has
kind
of
split
things
up
into
three
different
tiers
of
you
know
rewards
these
are
based
on
the
severity
per
the
cbss,
the
common
vulnerability
scoring
standard.
These
are
general
guidelines
and
obviously
the
reward
discretion
is
up
to
the
cloud
native
computing
foundation
and
can
be,
you
know,
adjusted
as
needed
depending
on
the
individual
issues.
B
So
for
tier
one
issues,
this
is
considered
to
be
core
kubernetes.
This
includes
anything,
that's
generally
availability,
a
general
available
and
beta
features
of
core
kubernetes.
So
this
is
both
the
you
know.
Primary
kubernetes
staging
or
any
kind
of
kubernetes
own
core
dependencies
k
log
would
be
an
example.
B
Any
kind
of
core
add-ons
coupe
proxy
is.
It
was
a
great
example
here,
if
you
have
the
ability
to
alter
source
code
without
owner
approval
or
modify
release
artifacts.
That
is
a
tier
one
issue.
If
you
can
actually
dos
the
the
artifacts
themselves-
and
you
know
prevent
people
from
downloading
them,
that's
an
issue
and
again
the
the
metrics
are.
The
the
reward
amounts
here
starts
with
ten
thousand
dollars
for
critical.
B
A
So
as
a
user
or
an
administrator
of
kubernetes
clusters,
and
if
you
want
to
be
up
to
date
on
security
announcements,
which
is
a
pretty
good
idea,
if
you're
already
subscribed
to
a
general
notification
channel
like
kubernetes
announce,
that
is
good
enough,
although
there
does
tend
to
be
those
are
a
high
traffic
list,
so
you
may
may
miss
the
security
announcement
or
you
may
have
it
filtered
out
or
or
what
have
you?
So
if
you
want
to
subscribe
to
a
list,
that's
just
for
focus
security
announcements.
A
The
best
place
to
go
is
kubernetes
security,
announce
google
groups.com
that
will
have
all
the
announcements
for
security
issues
handled
by
the
psc
and
just
in
general.
If
you
maybe
want
to
do
something
more
beyond
just
doing
code
contributions
here
or
you
want
to
contribute
in
a
different
way,
look
out
for
sig
security.
A
B
B
A
All
right
so
looks
like
we
have
one
question
about.
Basically,
if
if
a
security
researcher
does
not
wish
to
go
through
hacker
one,
can
you
use
the
old
security
email?
Yes,
you
can
email,
I
forget
the
precise
email,
but
the
the
old
psc
security
report
email
still
works
as
to
whether
or
not
you're
eligible
for
the
bounty.
I
am
not
sure.
B
B
B
Are
you
I'm
not
sure
the
context
here
is
it's
saying
that,
like
good
examples
of
in
kubernetes
to
here
actually
went
through
a
couple
of
different
submissions
and
you
could
actually
go
to
hackerone.com
kubernetes
and
if
you
click
on
activity,
you
can
actually
see
some
of
the
previously
disclosed
reports
there.
If
you're
interested
in
seeing
like
some
of
the
previous
reports
that
have
been
paid
out,
are
you
are
you
referring
to
something
else?
B
Sorry,
there's
not
enough
context
here
to
know
if
you're
referring
to
like,
maybe
maybe
you're,
referring
to
like
getting
involved
in
your
own
bug,
money
programs.
You
know
there's
plenty
of
other
hacker,
one
and
other
book
by
the
programs
that
you're
welcome
to
contribute
to
or
if
you
want
to
get
started
with
doing
just
bug
bunnies
in
general.
There's
things
like
hacker101.com,
which
is
just
a
great
tutorial
on
kind
of
how
to
get
going
with
that
cool.
B
Yes,
yeah,
so
there's
actually
I'm
trying
to
remember
the
name
of
it.
So
forgive
me,
but
there's
basically
a
bug
bounty
field
guide
that
hackman
put
out
that
you
can
look
for
that.
Actually
does
a
really
good
job
about
kind
of
giving
you
a
start
to
finish
process
on
how
to
get
going
and
and
again
like.
B
I
don't
want
to
be
salesy
but
like
hack,
one
is
one
option
and
there's
other
other
companies
as
well,
or
you
can
try
doing
stuff
yourself
for
that,
but
that
particular
document
the.
If
you
search
for
hacker
one
bug
bounty
field
guide,
it's
just
a
freely
available
guide
that
you
can
use
for
getting
started
on
building
your
own
bug,
bunny
program.
B
Another
question
came
in:
are
there
more
cncf
projects
that
are
on
hacker
one?
Yes,
I'm
not
sure.
If
there's
still
are,
I
know
that
the
hyper
ledger
stuff
was
on
hacker
one
for
a
while,
I'm
not
sure
if
it
still
is
and
that
there's
definitely
a
lot
of
other
linux
foundation,
projects
that
are
on
hacker
one
cncf,
I'm
not
entirely
sure.
I
know
that
kubernetes
is
by
far
the
biggest
one,
but
I
think
hyperledger
was,
and
there
may
have
been
a
couple
others
as
well.
B
B
And
again,
we
really
appreciate
you
listening
on
us
speak,
it's
always
weird,
because
this
is
a
brave
new
world
of
this
simon
live
of
like
pre-recorded
talks
and
then
that's
taken
so,
but
I
really
appreciate
you
willing
to
spend
time
to
basically
sit
at
your
computer
for
hours
and
listen
to
talks.
So
thank
you
again.
B
B
Okay,
if
there
are
no
other
questions,
I
think
we
will
wrap
up
a
few
minutes
early.
I
believe
we
provided
our
contact
information
in
the
slide
deck,
and
so
you
can
get
in
touch
with
us
there.
You
know
if,
for
my
I'll
I'll
let
each
of
us
give
our
information
but
from
you're
always
welcome
to
email
me
at
read,
hackerone.com
or
you
can
find
me
on
twitter
at
relodin
or
on
linkedin.
I'm
happy
to
answer
questions
to
hear.
If
you
want
to
give
your
contact
information.