Rewards of up to $10,000 on offer to ethical hackers who can break out of lab environment

Google has expanded its Vulnerability Reward Program (VRP) to cover privilege escalation bugs found in all critical open source dependencies of Google Kubernetes Engine (GKE).

Security researchers are invited to find vulnerabilities inside a newly-built lab environment that’s based on a Kubernetes-based capture-the-flag (CTF) project.

In scope are exploitable vulnerabilities in all dependencies that can lead to a node compromise, including privilege escalation bugs in the Linux kernel or underlying hardware or infrastructure components.

Hardened labs

Announced yesterday (May 28), the move follows the launch in January of a Kubernetes bug bounty program by the Cloud Native Computing Foundation (CNCF), the Kubernetes project maintainers.

Researchers taking on the hardened GKE lab, which is based on the kCTF project, must break out of a containerized environment running on a Kubernetes pod and read one of two secret flags: one in the same pod or another in a separate Kubernetes pod in a different namespace.

Flags will be changed frequently, and participants must submit the secret flag as proof of exploitation.

As with the CNCF-run Kubernetes program, payouts will range up to $10,000.

Bugs that exist solely in either the Google or Kubernetes code will qualify for an additional Google VRP or CNCF Kubernetes reward respectively.

Securing the cloud

Open-sourced by Google in 2014, Kubernetes is a portable, extensible platform for managing containerized workloads and services.

“In March 2020, we announced the winner for the first Google Cloud Platform (GCP) VRP Prize and since then we have seen increased interest and research happening on Google Cloud,” said Eduardo Vela, vulnerability collector at Google, in the blog post announcing the news.

“With this new initiative, we hope to bring even more awareness to Google Cloud by experienced security researchers, so we can all work together to secure our shared open source foundations.”

Google is also seeking feedback from the security community on the GKE lab environment, newly built on top of CTF infrastructure open-sourced on GitHub.


RELATED Google Cloud security find earns South American researcher $31k bug bounty payout