Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

GitLab Launches Public Bug Bounty Program

Open source Git repository management system GitLab this week announced the launch of a public bug bounty program with rewards of up to $12,000 for critical vulnerabilities found in its products and services.

Open source Git repository management system GitLab this week announced the launch of a public bug bounty program with rewards of up to $12,000 for critical vulnerabilities found in its products and services.

GitLab aims to make software development easier and more efficient by providing an open source platform that can be used for the entire DevOps lifecycle. While in many ways it’s similar to GitHub, GitLab, which recently raised $100 million, offers a wider range of services.

The company launched a vulnerability disclosure program with the help of HackerOne back in 2014. Then, last year, it announced a small private bug bounty program that has resulted in a total payout of nearly $200,000 for roughly 250 vulnerabilities reported by more than 100 white hat hackers.

GitLab has now decided to launch a public bug bounty program via HackerOne. It covers the GitLab installation, production services, and the company’s other products, including its SaaS offering.

Researchers have been invited to report SQL injection, remote code execution, XSS, CSRF, directory traversal, privilege escalation and information disclosure vulnerabilities.

Critical vulnerabilities, findings that impact more than half of GitLab’s customer base, can earn researchers up to $12,000, while high-severity issues can be worth up to $7,000.

GitLab bug bounty program rewards

“GitLab is a cloud-native company,” said GitLab Director of Security Kathy Wang. “There is literally no physical office – all employees are remote, across 40+ different countries. Every third party product we use is SaaS-based. GitLab.com is hosted on Google Cloud. There is no firm perimeter, from a security perspective. We have to focus on access and credentialing management, as well as internal application security reviews, for example. Working with hackers helps the team scale, so that we can focus on other areas as well.”

One interesting vulnerability reported through the company’s private bug bounty program was disclosed in February. The flaw, which GitLab initially decided not to patch, could have been exploited to hijack users’ custom domains and point them to malicious content.

Related: Remote Code Execution Vulnerability Patched in Git

Related: Command Execution Flaw Affects Several Version Control Systems

Related: Hackers Can Use Git Repos for Stealthy Attack on Developers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.