GitLab is committed to working with security experts across the globe to stay up to date with the latest security techniques. Feel free to inspect our source code and web assets. If you have discovered a security issue that you believe we should know about, we’d welcome working with you. Please let us know about it and we'll make every effort to quickly correct the issue.

Rewards

We have different rewards depending on the business impact of each asset. A more complete description of each asset will be in the scope section, but in general GitLab.com and all our products' source code is rewarded the highest, then non-production environments have reduced bounties and our static websites have the lowest payouts.

See the Rewards section above for our bounty ranges. For reports with critical or high severity we pay $1000 at the time the report is triaged, and for medium severity reports we pay $500. The remainder, if any, will be paid when the report is resolved or 45 days after triage, whichever happens earlier. The calculator we use to calculate CVSS-based bounty amounts is accessible to everyone.

Reports about intended behavior resulting in an update of our documentation will be rewarded with a $100 bounty, as long as this update is security related.

GitLab assigns CVE identifiers to vulnerabilities affecting GitLab products. While the CVSS score for those should generally align with the severity set in the HackerOne report, sometimes they will differ depending on our assessment of the business impact based on existing mitigations, the sensitivity of the impacted data, and number of impacted customers among other factors.

While we try to be as consistent as possible with rewards, our program is also evolving and rewards may change accordingly to how our program evolves with time.

Capture the flag for $20,000

We recently raised our bounty amounts and finding a CVSS 10.0 vulnerability on GitLab will lead to, what we think, is a pretty good pay day. However, we've noticed that some vulnerabilities with very high business impacts don't receive as high of a CVSS score as a remote code execution vulnerability would because they "only" impact confidentiality.

This is why we're introducing a capture the flag contest!

How to get started in our CTF

The private group gitlab-h1-bbp-ctf-group (group ID 55842926) contains a private project which contains a file with a flag. The format of the flag is {gitlab-bounty-flag-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX}. Use a permission-related issue to bypass access control; without user interaction, then read the flag and the $20,000 bonus is yours!

At the moment there is one (1) flag available. The bonus will be awarded to the first person to find the flag and file a report on our Bug Bounty Program with the steps to successfully reproduce. We will update this policy when the flag is found.To stay informed, subscribe to our program to receive policy updates and be notified when the flag has been claimed. At that time, our CTF will be paused, while we test and improve our defenses. Once we're ready we'll re-enable the flag and update our policy to indicate that the CTF is open again.

GitLab Ultimate License

Reporters which have submitted three or more valid findings to our program are eligible to receive a one year self-hosted Ultimate license supporting up to five users. If you believe you're eligible, please request the Ultimate license via a comment in one of your reports mentioning the assigned security engineer, and include links to your other two valid reports. Once verified, the license will be sent to your [username]@wearehackerone.com email address. Any further valid submissions in that year will extend you the next year's license for free too.

How severity is determined

Upon receipt of the finding, we will conduct an internal investigation to understand the full impact of the vulnerability. We then assess the severity using the Common Vulnerability Scoring System (CVSS) and score according to the guidelines you can see in the "help & definitions" section of our CVSS calculator. Note that even if GitLab.com allows self-registration, most GitLab instances in the wild don't -- which makes vulnerabilities that are exploitable without authentication a lot more impactful. For this reason, any vulnerability that requires an account will not be scored with "Privilege Required: None".

Reports for security issues that aren't vulnerabilities in our systems and where CVSS isn't appropriate (for example a leaked confidential document) will receive a discretionary bounty based on our assessment of the impact of the finding.

Duplicates

For different attack vectors that result in the same mitigation, GitLab reserves the right to reward the first report that is validated for that fix. All subsequent reports that are addressed by that mitigation will be considered as duplicates, regardless of the attack vector.

Rules of Engagement, Testing, and Proof-of-concepts

When researching security issues, especially those which may compromise the privacy of others, you must use only test accounts in order to respect our users’ privacy. Accessing private information of other users, performing actions that may negatively affect GitLab’s users (e.g., spam, denial of service) will disqualify the report. Activity that is disruptive to GitLab operations will result in account bans and disqualification of the report. Examples of disruptive activity include, but are not limited to: - Generating abuse requests - Submission of support, sales or other requests to 3rd party systems - Mass creation of users, groups, and projects - Typosquatting or other namesquatting - Spam-like or other high volume activity

Sending reports from automated tools without verifying them will immediately disqualify the report.

Disruptive activity such as that listed above can be researched freely on your own installation of gitlab. GitLab is an open-core company, with the source code powering gitlab.com available at https://gitlab.com/gitlab-org/gitlab-foss and https://gitlab.com/gitlab-org/gitlab. You are encouraged to install your own standalone instance for researching vulnerabilities. Screen captures, logs, and videos showing vulnerabilities against your own GitLab installation are encouraged.

Behave professionally. Failure to follow HackerOne's policies, such as the Code of Conduct, may result in the report being ineligible for a bounty at GitLab's sole discretion, in addition to any enforcement action HackerOne may decide to take.

Testing on GitLab.com

When testing on GitLab.com, your @wearehackerone.com address must be associated with the testing account. If separate accounts are necessary, you can use an alias. This will help us separate testing from other forms of abuse, and help inform the decision of blocking an account. Note that this does not provide immunity and the Rules of engagement must be followed at all times.

SLA

GitLab will make a best effort to meet the following SLAs for hackers participating in our program:

• Time to first response (from report submit) - 1 business day

• Time to triage (from report submit) - 5 business days

• Time to bounty (from triage) - between 5 and 45 business days

The only appropriate place to inquire about a HackerOne report's status is on the report itself. Please refrain from submitting your report or inquiring about its status through additional channels including any other unrelated HackerOne report, as this unnecessarily binds resources in the security team.

Scope

All GitLab Inc. products are in scope unless explicitly noted otherwise.

Testing on subdomains that are neither explicitly in scope nor out of scope isn't encouraged, but if you can find a vulnerability with business impact on such a subdomain please report it. We normally close sufficiently clear reports as Informative so there will be no negative effect on your reputation score if we decide that it's out of scope. However, remember that GitLab subdomains that are running third party services are strictly out of scope.

GitLab Releases

We release new features on the 22nd of every month. You can learn more about our release process, see the latest monthly release blog post and see what's coming in future releases. If you're bug hunting, might we suggest a newly released feature? ?

Vulnerabilities in 3rd-party dependencies & packaged software

Reports on vulnerabilities in third-party software which GitLab depends on will be accepted and a bounty rewarded if and only if:

• The report includes a new vulnerability, for which a patch is not available, or

• A patch has been available for more than 30 days.

• It has a clear and working proof of concept that illustrates the impact to GitLab.

• It has Critical or High impact to GitLab.

This does not include websites of third party software and services and only includes dependencies & packaged software.

Out of scope

• Automated scanning of any kind
• GitLab sites of third party software and services (marketing services, third-party mail services, developer/support installations etc.)
• This includes gitlab.cn and the JiHu-specific GitLab distribution which are property of GitLab Information Technology (Hubei) Co., Ltd. (JiHu), security issues in those products should be reported to security@gitlab.cn
• User content on GitLab.com (for example, a user that is not using proper permissions on their projects containing sensitive information)
• Access tokens that don't belong to GitLab projects/groups/team members (please contact the owner of the token, you can find their email address by querying the /api/v4/user API)
• Our customers' GitLab installs
• Gitter (no longer owned by GitLab)
• Intentionally public information and hosts, for example our marketing issues at https://gitlab.com/gitlab-com/marketing
• Attacks requiring physical access to the victim's computer, including employee computer compromise
• Man-in-the-middle attacks
• Social engineering, phishing, or other fraud including but not limited to: internationalized domain name (IDN) homograph attacks, Right-to-left (RTL) Ambiguity, RTL Override (RTLO), SPF and DKIM issues, HTML content injection, Tabnabbing
• Missing Security Headers (eg. HSTS, CSP) and Missing Secure Flags on Cookies
• SSL or ssh issues (weak ciphers/key-size/BEAST/CRIME)
• CSRF without any security impact
• User and project enumeration/path disclosure unless an additional impact can be demonstrated
• Reports where an attacker can validate a guess will not be accepted. Examples include but are not limited to:
  • An API route returning different status codes depending on if a private path exists or not
  • An identical response but with significantly different timing depending on if a private path exists or not
  • A response validating that a specific email address is registered
• Reports where an attacker can only disclose the ID of a private element will not be accepted
• Client side Denial Of Service that can be solved by tuning application limits
• Client side Denial Of Service that is caused by browser bugs
• SVG rendering bugs are an example of this and the browsers are tracking these issues (see Chromium and Mozilla bugtrackers for example)
• Server side Denial Of Service with a temporary impact on performance that can be solved by tuning application limits or additional rate limiting
• Lack of, or insufficient, rate limiting. (We are aware of the lack of rate-limiting in many places and our application-wide application limits initiative aims to improve that)
• Text injection is eligible only on sensitive pages (for example, settings or authentication pages)
• Reports about CVEs published on mailing lists, groups etc. without demonstrating an impact on GitLab
• Bypassing our media assest proxy for loading media files
• GitLab Runner reports that do not demonstrate the ability to impact data of other projects or GitLab infrastructure
• Note that it is documented behavior of the Shell Executor to be able to see other projects on the same server
• Scenarios in which only the number of private objects is exposed, unless it can be used to extract any sensitive information contained in those objects
• For example a report showing that it's possible to see that a certain project has 17 issues even if only 15 are publicly visible would not be accepted
• However being able to demonstrate that there are 4 confidential issues with the word "SECRET TOKEN" in them would be a valid report
• Spoofing email and username in git commits that aren't signed with GPG
• Clickjacking on pages with no sensitive actions
• 500 errors or any other error that affects only the attacking request (please see the Rules of Engagement, Testing, and Proof-of-concepts for the rules concerning testing for Denial of Service (DoS) and other potentially disruptive activities)
• High privilege users (maintainers, owners) using a bug to sabotage/deface their own projects
• Being able to access attachments directly with a known URL (this is a documented behavior and we have an issue discussing ways to improve this)
• Issues affecting only Internet Explorer as it is not a supported web browser
• Note that Microsoft Edge is supported
• EXIF metadata not being stripped from images
• We are aware of ways to bypass the EXIF metadata stripping and intend to improve this, but we don't consider this impactful enough to be eligible for bounty
• Bypassing or creating fake licenses, or bypasses of feature restrictions where there is no security impact

Disclosure

All Resolved reports will be made public via issues on GitLab.com 30 days after releasing a fix. We will redact all information we consider sensitive (such as cookies or tokens), but do not hesitate to let us know if additional content should be hidden. If you also want the report to be disclosed via HackerOne, please request disclosure. Informative or self-closed reports that are determined to be bugs or new feature requests with no current security impact may be imported as public issues in our issue tracker at https://gitlab.com/gitlab-org/gitlab/issues.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Eligibility for Participation

You are responsible for complying with any applicable laws. You are not eligible to participate in this program if you are currently an employee of GitLab, Inc. or any of its subsidiaries. Reports from former employees, immediate family of current employees, or other associates of GitLab.com that may present a conflict of interest of the goals of the program will be more thoroughly reviewed and may not qualify for the stated bounty awards at GitLab's discretion.

Our Process and Additional Information of Interest

• For more details on the process the GitLab Security Team follows when working with HackerOne reports, please see our handbook. This includes further details on our triage and award review process.
• Check out our Ask Me Anything (AMA) series with @rpadovani, @ajxchapman, @vakzz and @joaxcar in our Live AMA playlist on YouTube.
• Want to see how Bug Bounty Hunters use GitLab to improve their research efforts? Check out "How do bug bounty hunters use GitLab to help their hack?". See all of our bug bounty related blog posts.
• See our Ask a Hacker blog series, where we profiled some of our top hackers. See the blog profiling @rpadovani and the next blog where we profile @ajxchapman.
• The GitLab Red Team hosted a live, public AMA/Ask Me Anything on Jan. 26, 2021. Check out the replay.
• If you have suggestions for improving this program, please let us know at <security@gitlab.com>.