Security Experts:

Connect with us

Hi, what are you looking for?


Cloud Security

Google Adds GKE Open-Source Dependencies to Vulnerability Rewards Program

Google this week announced an expansion for its Vulnerability Rewards Program (VRP) to include critical open-source dependencies of Google Kubernetes Engine (GKE).

Google this week announced an expansion for its Vulnerability Rewards Program (VRP) to include critical open-source dependencies of Google Kubernetes Engine (GKE).

The announcement builds on the bug bounty program for Kubernetes that the Cloud Native Computing Foundation (CNCF), in partnership with Google and others, announced earlier this year, and which offers rewards of up to $10,000 for vulnerabilities in the project.

With this expansion, Google’s VRP will cover privilege escalation bugs in a hardened GKE lab cluster that was specifically set up for this purpose.

“This will cover exploitable vulnerabilities in all dependencies that can lead to a node compromise, such as privilege escalation bugs in the Linux kernel, as well as in the underlying hardware or other components of our infrastructure that could allow for privilege escalation inside a GKE cluster,” the company says.

Google is now inviting bug hunters to find vulnerabilities in a lab environment that was set up on GKE based on kCTF, an open-source Kubernetes-based Capture-the-Flag (CTF) project.

Participants are required to break out of a containerized environment running on a Kubernetes pod and read one of two secret flags (one on the same pod, the other in another pod, in a different namespace).

Participants are required to present these flags as proof of successful exploitation, as the lab environment does not store data. The flags will change often, Google says.

The Internet giant is willing to pay up to $10,000 for bugs that affect the lab GKE environment and can lead to stealing both flags (each report will be reviewed on a case-by-case basis). Participants are allowed to submit vulnerabilities identified in Linux, Kubernetes, kCTF, Google, or any other dependency.

Security flaws that only impact Google code qualify for an additional VRP reward, while those impacting only Kubernetes code qualify for an additional CNCF Kubernetes reward.

“Any vulnerabilities found outside of GKE (like Kubernetes or the Linux kernel) should be reported to the corresponding upstream project security teams. To make this program expansion as efficient as possible for the maintainers, we will only reward vulnerabilities shown to be exploitable by stealing a flag,” Google explains.

The open-sourced kCTF environment is new and Google is looking to receive feedback on it before actively using it in CTF competitions.

“By including the CTF infrastructure in the scope of the Google VRP, we want to incentivise the community to help us secure not just the CTF competitions that will use it, but also GKE and the broader Kubernetes ecosystems,” Google notes.

Related: Zoom Revamps Bug Bounty Program

Related: Tencent Partners With HackerOne for Bug Bounty Program

Related: Public Bug Bounty Program Launched for Kubernetes

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.