CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Management & Strategy

GitLab Launches Public Bug Bounty Program

Open source Git repository management system GitLab this week announced the launch of a public bug bounty program with rewards of up to $12,000 for critical vulnerabilities found in its products and services.

Open source Git repository management system GitLab this week announced the launch of a public bug bounty program with rewards of up to $12,000 for critical vulnerabilities found in its products and services.

GitLab aims to make software development easier and more efficient by providing an open source platform that can be used for the entire DevOps lifecycle. While in many ways it’s similar to GitHub, GitLab, which recently raised $100 million, offers a wider range of services.

The company launched a vulnerability disclosure program with the help of HackerOne back in 2014. Then, last year, it announced a small private bug bounty program that has resulted in a total payout of nearly $200,000 for roughly 250 vulnerabilities reported by more than 100 white hat hackers.

GitLab has now decided to launch a public bug bounty program via HackerOne. It covers the GitLab installation, production services, and the company’s other products, including its SaaS offering.

Researchers have been invited to report SQL injection, remote code execution, XSS, CSRF, directory traversal, privilege escalation and information disclosure vulnerabilities.

Critical vulnerabilities, findings that impact more than half of GitLab’s customer base, can earn researchers up to $12,000, while high-severity issues can be worth up to $7,000.

GitLab bug bounty program rewards

“GitLab is a cloud-native company,” said GitLab Director of Security Kathy Wang. “There is literally no physical office – all employees are remote, across 40+ different countries. Every third party product we use is SaaS-based. is hosted on Google Cloud. There is no firm perimeter, from a security perspective. We have to focus on access and credentialing management, as well as internal application security reviews, for example. Working with hackers helps the team scale, so that we can focus on other areas as well.”

One interesting vulnerability reported through the company’s private bug bounty program was disclosed in February. The flaw, which GitLab initially decided not to patch, could have been exploited to hijack users’ custom domains and point them to malicious content.

Advertisement. Scroll to continue reading.

Related: Remote Code Execution Vulnerability Patched in Git

Related: Command Execution Flaw Affects Several Version Control Systems

Related: Hackers Can Use Git Repos for Stealthy Attack on Developers

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...