Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Bug Google Open Source The Almighty Buck Technology

CNCF, Google, and HackerOne Launch Kubernetes Bug Bounty Program 4

Posted by BeauHD from the hide-and-seek dept.
An anonymous reader quotes a report from VentureBeat: The Cloud Native Computing Foundation (CNCF) today announced it is funding a bug bounty program for Kubernetes. Security researchers who find security vulnerabilities in Kubernetes' codebase, as well as the build and release processes, will be rewarded with bounties ranging from $100 to $10,000. Bug bounty programs motivate individuals and hacker groups to not only find flaws but disclose them properly, instead of using them maliciously or selling them to parties that will. Originally designed by Google and now run by the CNCF, Kubernetes is an open source container orchestration system for automating application deployment, scaling, and management. Given the hundreds of startups and enterprises that use Kubernetes in their tech stacks, it's significantly cheaper to proactively plug security holes than to deal with the aftermath of breaches.
This discussion has been archived. No new comments can be posted.

CNCF, Google, and HackerOne Launch Kubernetes Bug Bounty Program More

CNCF, Google, and HackerOne Launch Kubernetes Bug Bounty Program

Comments Filter:

  • Cheapskate way to Security. (Score:5, Insightful)

    by jellomizer ( 103300 ) on Wednesday January 15, 2020 @10:02AM (#59622862)

    Other then hiring Security Professionals and paying them 6 figure salaries. You offer a bounty program, which you can control how much you pay for the bug.
    $100 for a bug found means this should had been found, tested, reported and documented in under 3 hours of work, for it to be any source of meaningful income compared actually getting a full time job.

    I checked these Gigs programming jobs, in short what the companies are willing to pay for code is far below what the job is worth.
    Ill pay you $2,000 for a fully functional CRM solution.

    In short these are attempts to just get cheap labor. Because they saw how much consultants charge way too much, how much for Full Time Employees still a lot of money, their existing workforce isn't up to the task. So they will just open a bug bounty that way they get free analytics, and only pay for problems found.

    • Re: (Score:2)

      by zoobab ( 201383 )

      Maybe if they increase the price money by 100x, I will start looking at it.

      Exploits are worth more.

    • In short these are attempts to just get cheap labor.

      That's a pretty dim view of it.

      Most of these software projects have security teams. Bug bounties are not a way to outsource security on the cheap. Bug bounties are attempts to get security bug reports submitted to the project, instead of either 1) sold to a bad actor or 2) not submitted at all. Many users will take the time to open an issue on GitHub, but many won't. The bounty is an incentive.

      The $100 per bug that you cite isn't a flat rate; the referenced project, Kubernetes, will pay $100 for a documenta

Slashdot Top Deals

The Tao is like a glob pattern: used but never used up. It is like the extern void: filled with infinite possibilities.

Close