In Google, we’ve always supported the benefits and importance of making use of open source technologies to pioneer. We enjoy being a part of the local community and we want to give back within new ways. As part of this work, we are excited to announce a good expansion of our Google Vulnerability Benefits Program (VRP) to cover all the critical open-source dependencies of Google Kubernetes Motor (GKE) . We have developed this expansion with the objective of incentivizing the security neighborhood to work even more closely along with open source projects, supporting the particular maintainers whose work all of us rely on.

The particular CNCF, in partnership with Google, lately introduced a insect bounty program for Kubernetes that pays as much as $10, 000 for weaknesses discovered within the project. Now, in addition to that, we are expanding typically the scope of the Google VRP program to also include opportunity escalation bugs in a solidified GKE lab cluster coming from set up for this purpose. This will protect exploitable vulnerabilities in all dependencies that can lead to a client compromise, such as privilege escalation bugs in the Linux nucleus, as well as in the underlying hardware or even other components of our facilities that could allow for privilege escalation inside a GKE cluster.


Exactly how it works
We now have setup a lab environment on GKE depending on an open-source Kubernetes-based Capture-the-Flag (CTF) project called kCTF . Participants will be required to:

  • Break free from a containerized environment operating on a Kubernetes pod plus,
  • Read 1 of 2 secret flags: One banner is on the same pod, as well as the other one is in another Kubernetes pod in a different namespace.

Flags is going to be changed often , and individuals need to submit the secret the flag as proof of successful fermage. The lab environment does not shop any data (such since the commands or files utilized to exploit it), so members need the flags to demonstrate these were able to compromise it.

Typically the rewards will work in the subsequent way:

  • Bugs that affect the laboratory GKE environment that can result in stealing both flags will probably be rewarded up to 10, 500 USD, but we will evaluation each report on a case-by-case basis. Any vulnerabilities have been in scope, regardless of where they are: Cpanel, Kubernetes, kCTF, Google, or some kind of other dependency. Instructions in order to submit the flags in addition to exploits are available here .
  • Bugs that are totally in Google code, qualify for an extra Google VRP reward.
  • Bugs that are completely in Kubernetes code, be eligible for a an additional CNCF Kubernetes incentive.

Any weaknesses found outside of GKE (such Kubernetes or the Linux kernel ) should be reported towards the corresponding upstream project protection teams. To make this program growth as efficient as possible for that maintainers, we will only prize vulnerabilities shown to be exploitable simply by stealing a flag. In case your exploit relies on something inside upstream Kubernetes, the Apache Kernel, or any other addiction, you need to report it presently there first, get it resolved, after which report it to Search engines.   See instructions here .

The GKE lab environment is built along with a CTF infrastructure that people just open-sourced on GitHub . The infrastructure is brand new, and we are looking forward to getting feedback from the community prior to it can be actively used in CTF competitions. By including the CTF infrastructure in the scope from the Google VRP, we want to incentivise the community to help us safe not just the CTF contests that will use it, but also GKE and the broader Kubernetes environments.

In 03 2020, we announced the champion for the first Google Impair Platform (GCP) VRP Reward and since after that we have seen increased attention and research happening on the search engines Cloud. With this new effort, we hope to bring even more consciousness to Google Cloud by simply experienced security researchers, and we can all work together to obtain our shared open-source fundamentals.

Read more from the Source