|Scope Type||Scope Name|
Out of Scope
|Scope Type||Scope Name|
GitLab is committed to working with security experts across the globe to stay up to date with the latest security techniques. Feel free to inspect our source code __. If you have discovered a security issue that you believe we should know about, we’d welcome working with you. Please let us know about it and we'll make every effort to quickly correct the issue.
GitLab will make a best effort to meet the following SLAs for hackers participating in our program:
Please refrain from submitting your report or inquiring about its status through additional channels, as this unnecessarily binds resources in the security team.
Our rewards are based on impact to our customers, defined below. Please note these are general guidelines, and that reward decisions are up to the discretion of GitLab.
Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9) | Low (0.1 -
$12,000 | $7,000 | $3000 | $1000
The indicated amounts represent upper bounds for the corresponding level of severity. For example, a medium severity issue will be awarded between $1000 and $3000, a high severity issue between $3000 and $7000, etc.
Reports about intended behavior resulting in an update of our documentation will be rewarded with a $100 bounty, as long as this update is security related.
GitLab reserves the right to make a final decision regarding the severity of a reported finding. Upon receipt of the finding, we will conduct an internal investigation and determine the severity of the finding according to the following guidelines:
When researching security issues, especially those which may compromise the privacy of others, you must use only test accounts in order to respect our users’ privacy. Accessing private information of other users, performing actions that may negatively affect GitLab’s users (e.g., spam, denial of service) will disqualify the report. Activity that is disruptive to GitLab operations will result in account bans and disqualification of the report. Examples of disruptive activity include, but are not limited to:
Sending reports from automated tools without verifying them will immediately disqualify the report.
Disruptive activity such as that listed above can be researched freely on your
own installation of
gitlab. GitLab is an open-core company, with the source
code powering gitlab.com available at https://gitlab.com/gitlab-org/gitlab-ce
__. You are encouraged to install
__your own standalone instance for
researching vulnerabilities. Screen captures, logs, and videos showing
vulnerabilities against your own GitLab installation are encouraged.
We appreciate reports of broken links that are susceptible to hijacking on our website and in our documentation. However, to prevent from being flooded with broken link reports we do not close these reports as "Resolved" but rather as "Informative". Broken links to script sources or other files that could result in script execution are treated as vulnerabilities.
We believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to acknowledge your contribution in our Hall of Fame.
For different attack vectors that result in the same mitigation, GitLab reserves the right to reward the first report that is validated for that fix. All subsequent reports that are addressed by that mitigation will be considered as duplicates, regardless of the attack vector.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
You are responsible for complying with any applicable laws. You are not eligible to participate in this program if you are currently an employee of GitLab, Inc. or any of its subsidiaries. Reports from former employees, immediate family of current employees, or other associates of GitLab.com that may present a conflict of interest of the goals of the program will be more thoroughly reviewed and may not qualify for the stated bounty awards at GitLab's discretion.
If you have suggestions for improving this program, please let us know at firstname.lastname@example.org.