diff --git a/contributors/guide/bug-bounty.md b/contributors/guide/bug-bounty.md new file mode 100644 index 000000000..634dff1d5 --- /dev/null +++ b/contributors/guide/bug-bounty.md @@ -0,0 +1,79 @@ +# Kubernetes Bug Bounty Program + +This program is a **work in progress**. This tracks the currently proposed program, but the bug +bounty is not currently active. If you currently have a bug to submit, follow instructions at https://kubernetes.io/docs/reference/issues-security/security/ + +## Scope + +The scope of the Kubernetes project itself is not well defined, which makes defining a bug bounty +scope difficult. With that in mind, we've attempted to enumerate the features, configurations, and +components that clearly fall inside or outside of our scope. However, this leaves a lot of gray area +in between. For that, we ask you to use your best judgment, and welcome contributions to help +clarify the scope. + +### In Scope + +The following items are explicitly in-scope for the bug bounty program: + +**Cluster Attacks:** + +- Attacks against Beta & GA features, unless explicitly excluded below +- Privilege escalation due to bugs in RBAC, ABAC, pod security policies +- Authentication bugs in the in-tree authentication handlers
+ _Including: OIDC, x509 certificates, service accounts, webhook authenticator, bearer token, etc._ +- Privilege escalation through the kubelet APIs +- Remote code execution in kubelet, api server +- Unauthorized etcd access via the Kubernetes API +- Path traversal attacks in API, namespaces, etcd +- Info leak (e.g. workload names) from publicly accessible unauthenticated endpoints
+ _Excluding intentionally disclosed info, such as Kubernetes version & enabled APIs_ +- Reliable suppression of audit logs for privileged actions +- Unexpected editing, removal, or permission changes of files on the host filesystems from + Kubernetes components (e.g. kubelet) +- Persistent DoS from within a cluster by an unprivileged container or user. + +**Supply Chain:** _(excluding social engineering attacks against maintainers)_ + +- Unauthorized code commit to any Kubernetes org repository
+ _Including: `github.com/kubernetes{,-client,-csi,-incubator,-retired,-security,-sigs}/*`_ +- Unauthorized access to github.com/kubernetes-security +- Publishing of unauthorized artifacts +- Unauthorized modification of github data +- CI/CD Credential Leaks +- Execution inside the CI/CD infrastructure + +**Components:** + +- Attacks against a stable & supported Kubernetes release (most recent 3 releases) +- Community maintained stable cloud platform plugins
+ _Vulnerabilities in other cloud platform plugins should be reported through the associated provider_ +- In-tree (k8s.io/kubernetes) stable volume plugins + +### Out of Scope + +The following items are explicitly out-of scope for the bug bounty program. While we still welcome +vulnerability reports in these areas, they are not (currently) eligible to receive a bounty. + +- Alpha features & APIs +- Kubernetes running on Windows or other non-linux operating systems +- Non-Kubernetes binaries distributed as cluster addons
+ _Please report vulnerabilities in these components through the appropriate channel for the + upstream component_ +- Container escalations and escapes to the host, unless the attack path traverses a Kubernetes + process (e.g. kubelet). +- Linux privilege escalations
+ _Please report these through security@kernel.org_ +- Attacks against containers from the host they are running on +- Attacks relying on insecure configurations (subject to the [Product Security Team][]'s opinion), + such as clusters not utilizing mutual authentication or encryption between Kubernetes components. +- Attacks relying on or against deprecated components (e.g. gitrepo volumes) +- Vulnerabilities in etcd
+ _Please report these through [CoreOS's disclosure process][]_ +- Vulnerabilities in CoreDNS
+ _Please report these through [CoreDNS's disclosure process][]_ +- Vulnerabilities specific to a hosted Kubernetes setup
+ _Please report these through the associated provider_ + +[Product Security Team]: https://github.com/kubernetes/sig-release/blob/master/security-release-process-documentation/security-release-process.md#product-security-team-pst +[CoreOS's disclosure process]: https://coreos.com/security/disclosure/ +[CoreDNS's disclosure process]: https://github.com/coredns/coredns#security