Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Google Adds GKE Open-Source Dependencies to Vulnerability Rewards Program

Google this week announced an expansion for its Vulnerability Rewards Program (VRP) to include critical open-source dependencies of Google Kubernetes Engine (GKE).

Google this week announced an expansion for its Vulnerability Rewards Program (VRP) to include critical open-source dependencies of Google Kubernetes Engine (GKE).

The announcement builds on the bug bounty program for Kubernetes that the Cloud Native Computing Foundation (CNCF), in partnership with Google and others, announced earlier this year, and which offers rewards of up to $10,000 for vulnerabilities in the project.

With this expansion, Google’s VRP will cover privilege escalation bugs in a hardened GKE lab cluster that was specifically set up for this purpose.

“This will cover exploitable vulnerabilities in all dependencies that can lead to a node compromise, such as privilege escalation bugs in the Linux kernel, as well as in the underlying hardware or other components of our infrastructure that could allow for privilege escalation inside a GKE cluster,” the company says.

Google is now inviting bug hunters to find vulnerabilities in a lab environment that was set up on GKE based on kCTF, an open-source Kubernetes-based Capture-the-Flag (CTF) project.

Participants are required to break out of a containerized environment running on a Kubernetes pod and read one of two secret flags (one on the same pod, the other in another pod, in a different namespace).

Participants are required to present these flags as proof of successful exploitation, as the lab environment does not store data. The flags will change often, Google says.

The Internet giant is willing to pay up to $10,000 for bugs that affect the lab GKE environment and can lead to stealing both flags (each report will be reviewed on a case-by-case basis). Participants are allowed to submit vulnerabilities identified in Linux, Kubernetes, kCTF, Google, or any other dependency.

Advertisement. Scroll to continue reading.

Security flaws that only impact Google code qualify for an additional VRP reward, while those impacting only Kubernetes code qualify for an additional CNCF Kubernetes reward.

“Any vulnerabilities found outside of GKE (like Kubernetes or the Linux kernel) should be reported to the corresponding upstream project security teams. To make this program expansion as efficient as possible for the maintainers, we will only reward vulnerabilities shown to be exploitable by stealing a flag,” Google explains.

The open-sourced kCTF environment is new and Google is looking to receive feedback on it before actively using it in CTF competitions.

“By including the CTF infrastructure in the scope of the Google VRP, we want to incentivise the community to help us secure not just the CTF competitions that will use it, but also GKE and the broader Kubernetes ecosystems,” Google notes.

Related: Zoom Revamps Bug Bounty Program

Related: Tencent Partners With HackerOne for Bug Bounty Program

Related: Public Bug Bounty Program Launched for Kubernetes

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...