Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Complete evaluation of potential bug bounty vendors #73079
This issue is an update on the process for vendor evaluation and selection for a Kubernetes bug bounty program. This program is a work in progress. The bug bounty is not currently active. If you currently have a bug to submit, follow instructions at https://kubernetes.io/docs/reference/issues-security/security/.
Kubernetes Bug Bounty Program vendor evaluation
To create a vulnerability rewards program (“bug bounty”) for Kubernetes. This is to help:
This should NOT replace or interfere with existing vendor-specific bug bounty programs for their deployments of Kubernetes, e.g., if a bug is in Google’s specific deployment of Kubernetes in Google Kubernetes Engine, it should be reported to/ routed to the Google Vulnerability Rewards Program.
An initial scope for the bug bounty is defined by the Kubernetes Product Security Team in community/contributors/guide/bug-bounty.md.
The following vendors were approached for proposals:
Both submitted and presented their proposals.
Criteria were not directly shared with the vendors, but included:
After significant evaluation, the Kubernetes Product Security Team (PST) would be content with either vendor, HackerOne or Bugcrowd, hosting a Kubernetes vulnerability rewards program.
HackerOne is preferred due to: its tighter integration with Github, simple vulnerability report disclosure, automated response flows, automated CVSS scoring, and simpler fulfillment of swag rewards.