Bug bounty reward vs release cycle

[Angus Lees]

I read our bug bounty[1] recently, and I have a "haha, but serious" observation:

I think the current bug bounty gives a significant financial incentive to _delay_ reporting a bug until it makes it into a beta/GA release ($2.5k vs $10k for critical core bugs).  I'm sure this wasn't the intended outcome.

Maybe we should arrange the "peak" reward where we want to focus bug hunting: *right before release/GA*.

Specifically, I suggest we *decrease* (slightly) the relative reward for GA core compared to beta core.  Also, I suggest we offer maximum reward for (eg) the last 3 weeks of code freeze leading up to a release, and less for actual released bugs.

I appreciate that we can't pay out maximum reward as soon as the bug lands in git/alpha, because that's too open to abuse and collusion.  Also my above beta vs GA suggestion assumes that we don't introduce new bugs in the transition from beta->GA, and aiui it is common to make changes beyond just the apiVersion during that transition.

[1] https://hackerone.com/kubernetes

--

 - Gus

[Tim Allclair]

Thanks for raising this discussion. This came up on slack recently, and to copy my comment from there:

Yeah, it's a tricky balance. In general we want to encourage finding bugs before they go to production, but unfortunately security isn't always the first problem that people address when adding a new feature. So we don't want to get in the habit of handing out big rewards when it's just that no one has taken a hard look at the feature's security yet.

I definitely like your idea of paying out the full amount for bugs found after code-freeze, and maybe we can even offer a bonus in that case.

--
You received this message because you are subscribed to the Google Groups "kubernetes-security-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-security...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-security-discuss/50ec249c-b4aa-4718-a3f7-9b2388ee67f3o%40googlegroups.com.