How it works
We have
set up a lab environment on GKE based on an open-source Kubernetes-based Capture-the-Flag (CTF) project called
kCTF. Participants will be required to:
- Break out of a containerized environment running on a Kubernetes pod and,
- Read one of two secret flags: One flag is on the same pod, and the other one is in another Kubernetes pod in a different namespace.
Flags will be changed often, and participants need to submit the secret flag as proof of successful exploitation. The lab environment does not store any data (such as the commands or files used to exploit it), so participants need the flags to demonstrate they were able to compromise it.
The rewards will work in the following way:
- Bugs that affect the lab GKE environment that can lead to stealing both flags will be rewarded up to 10,000 USD, but we will review each report on a case-by-case basis. Any vulnerabilities are in scope, regardless of where they are: Linux, Kubernetes, kCTF, Google, or any other dependency. Instructions on how to submit the flags and exploits are available here.
- Bugs that are 100% in Google code, qualify for an additional Google VRP reward.
- Bugs that are 100% in Kubernetes code, qualify for an additional CNCF Kubernetes reward.
Any vulnerabilities found outside of GKE (like
Kubernetes or the Linux kernel) should be reported to the corresponding upstream project security teams. To make this program expansion as efficient as possible for the maintainers, we will only reward vulnerabilities shown to be exploitable by stealing a flag. If your exploit relies on something in upstream Kubernetes, the Linux Kernel, or any other dependency, you need to report it there first, get it resolved, and then report it to Google. See instructions
here.
The GKE lab environment is built on top of a CTF infrastructure that we just open-sourced on
GitHub. The infrastructure is new, and we are looking forward to receiving feedback from the community before it can be actively used in CTF competitions. By including the CTF infrastructure in the scope of the Google VRP, we want to incentivise the community to help us secure not just the CTF competitions that will use it, but also GKE and the broader Kubernetes ecosystems.
In March 2020, we announced
the winner for the first Google Cloud Platform (GCP) VRP Prize and since then we have seen increased interest and research happening on Google Cloud. With this new initiative, we hope to bring even more awareness to Google Cloud by experienced security researchers, so we can all work together to secure our shared open-source foundations.
Aucun commentaire :
Enregistrer un commentaire