This report has been disclosed on HackerOne: https://hackerone.com/reports/341876
Edit: Greg Castle (Kubernetes/GKE Security Tech Lead, Google) and Shane Lawrence (Security Infrastructure Engineer, Shopify) gave an amazing talk about this bug at KubeCon 2018: Shopify’s $25k Bug Report, and the Cluster Takeover That Didn’t Happen
You can download the slides here (PDF) or just watch the talk:
2018/04/23 Reported to Shopify via HackerOne 2018/04/23 Triaged (Severity: Critical - 10.0)2018/05/23 Resolved and bounty awarded2018/05/23 Report disclosed