Complete evaluation of potential bug bounty vendors #73079
Labels
area/security
committee/security-response
Denotes an issue or PR intended to be handled by the product security committee.
sig/auth
Categorizes an issue or PR as relevant to SIG Auth.
This issue is an update on the process for vendor evaluation and selection for a Kubernetes bug bounty program. This program is a work in progress. The bug bounty is not currently active. If you currently have a bug to submit, follow instructions at https://kubernetes.io/docs/reference/issues-security/security/.
Kubernetes Bug Bounty Program vendor evaluation
Goal
To create a vulnerability rewards program (“bug bounty”) for Kubernetes. This is to help:
This should NOT replace or interfere with existing vendor-specific bug bounty programs for their deployments of Kubernetes, e.g., if a bug is in Google’s specific deployment of Kubernetes in Google Kubernetes Engine, it should be reported to/ routed to the Google Vulnerability Rewards Program.
Scope
An initial scope for the bug bounty is defined by the Kubernetes Product Security Team in community/contributors/guide/bug-bounty.md.
Process
Eligible vendors
The following vendors were approached for proposals:
Both submitted and presented their proposals.
Evaluation
Criteria were not directly shared with the vendors, but included:
Recommendation
After significant evaluation, the Kubernetes Product Security Team (PST) would be content with either vendor, HackerOne or Bugcrowd, hosting a Kubernetes vulnerability rewards program.
HackerOne is preferred due to: its tighter integration with Github, simple vulnerability report disclosure, automated response flows, automated CVSS scoring, and simpler fulfillment of swag rewards.
The text was updated successfully, but these errors were encountered: