Unusual challenge: The successful exploitation of already closed security gaps in the Linux kernel will be worth a lot of money to Google in the next three months. The company would like to pay the hackers $ 31,337. With this approach, Google apparently wants to check the quality of security patches.
To do this, the participants have to expand their rights in a hardened Kubernetes environment on the basis of actually patched gaps or even break out of the container environment and access data from other containers. In order to prove a successful hack, Google requires the attacker to read out a memory area and transmit the secret data contained therein – playfully called “Capture the Flag”.
The company even wants to increase the amount to US $ 50,337 if the hackers use unknown zero-day gaps or take previously unknown attack routes; here, however, Google reserves its own assessment of the novelty factor. For gaps that also affect Android, the manufacturer also has additional funds under the Android Bughunter program intended.
Kubernetes is a container orchestrator in which applications and services, including their dependencies, are encapsulated by other applications and the host operating system using kernel techniques so that the containers do not influence each other. Kubernetes was developed by Google, published as an open source project in 2014 and hosted by the Cloud Native Computing Foundation (CNCF). Since then, it has become the industry standard for large-scale container management.
Containerized applications can be started comparatively easily and also distributed to other systems. Since Google provides Kubernetes in its Google Cloud for customers, the company has a great interest in making the software as secure as possible – to which this bug bounty program can certainly contribute.