CNCF, Google, and HackerOne Launch Kubernetes Bug Bounty Program 4
An anonymous reader quotes a report from VentureBeat: The Cloud Native Computing Foundation (CNCF) today announced it is funding a bug bounty program for Kubernetes. Security researchers who find security vulnerabilities in Kubernetes' codebase, as well as the build and release processes, will be rewarded with bounties ranging from $100 to $10,000. Bug bounty programs motivate individuals and hacker groups to not only find flaws but disclose them properly, instead of using them maliciously or selling them to parties that will. Originally designed by Google and now run by the CNCF, Kubernetes is an open source container orchestration system for automating application deployment, scaling, and management. Given the hundreds of startups and enterprises that use Kubernetes in their tech stacks, it's significantly cheaper to proactively plug security holes than to deal with the aftermath of breaches.
Cheapskate way to Security. (Score:5, Insightful)
Other then hiring Security Professionals and paying them 6 figure salaries. You offer a bounty program, which you can control how much you pay for the bug.
$100 for a bug found means this should had been found, tested, reported and documented in under 3 hours of work, for it to be any source of meaningful income compared actually getting a full time job.
I checked these Gigs programming jobs, in short what the companies are willing to pay for code is far below what the job is worth.
Ill pay you $2,000 for a fully functional CRM solution.
In short these are attempts to just get cheap labor. Because they saw how much consultants charge way too much, how much for Full Time Employees still a lot of money, their existing workforce isn't up to the task. So they will just open a bug bounty that way they get free analytics, and only pay for problems found.
Re: (Score:2)
Maybe if they increase the price money by 100x, I will start looking at it.
Exploits are worth more.
Purpose of bug bounty programs (Score:2)
In short these are attempts to just get cheap labor.
That's a pretty dim view of it.
Most of these software projects have security teams. Bug bounties are not a way to outsource security on the cheap. Bug bounties are attempts to get security bug reports submitted to the project, instead of either 1) sold to a bad actor or 2) not submitted at all. Many users will take the time to open an issue on GitHub, but many won't. The bounty is an incentive.
The $100 per bug that you cite isn't a flat rate; the referenced project, Kubernetes, will pay $100 for a documenta