Management & Strategy

GitLab Paid Half a Million Dollars in Bug Bounties in One Year

GitLab has paid more than half a million dollars in rewards to security researchers who contributed to its public bug bounty program over the past year.

The DevOps platform launched its first bug bounty initiative on HackerOne in 2014, but kept the program private.

Ionut Arghire

December 16, 2019

GitLab has paid more than half a million dollars in rewards to security researchers who contributed to its public bug bounty program over the past year.

The DevOps platform launched its first bug bounty initiative on HackerOne in 2014, but kept the program private.

With a security team ready to manage the bug bounty program and with lessons learned from the private effort, GitLab decided a year ago to make the program public and invite all security researchers to submit reports on newly discovered vulnerabilities impacting its assets.

The public bug bounty program, GitLab now says, has proven highly successful, with no less than 1,378 reports received from 513 security researchers worldwide. Furthermore, 171 researchers reported valid vulnerabilities and were awarded a total of $565,650 in bug bounties.

Launched in December 2018, the public program has helped GitLab evolve not only the manner in which it communicates with the participating security researchers, but also the way in which bounties are awarded, in addition to increasing the rewards for critical and high-severity vulnerabilities.

“The program kept our engineers on their toes, challenged and surprised our security team, and helped us keep GitLab more secure,” GitLab notes.

In October and November, the company held a bug bounty contest to identify contributors with the most reputation points from submissions to the program, the best written report, most innovative report, and the most impactful finding.

The contest has proved highly successful, with a total of 279 reports received from 123 different individuals, including 89 new reporters. GitLab plans to release details on the best written report, most innovative report and most impactful finding 30 days after releasing fixes for these vulnerabilities.

Advertisement. Scroll to continue reading.

Update: A previous version of this article incorrectly stated that GitLab launched its public bug bounty program in early 2019 and that it would offer legal safe harbor.

Written By Ionut Arghire

Ionut Arghire is an international correspondent for SecurityWeek.

Latest News

Click to comment

CIEM Chat: How to Reduce Cloud Identity Risk

March 26, 2024

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Virtual Event: Ransomware Resilience & Recovery Summit

April 17, 2024

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

You Against the World: The Offenders Dilemma

Foreign attackers have many more toolsets at their disposal, so we need to make sure we’re selective about our modeling, preparation and how we assess and fortify ourselves. (Tom Eston)

Why Intelligence Sharing Is Vital to Building a Robust Collective Cyber Defense Program

With automated, detailed, contextualized threat intelligence, organizations can better anticipate malicious activity and utilize intelligence to speed detection around proven attacks. (Marc Solomon)

Know Your Audience When Speaking to Security Practitioners

How can security practitioners make sense of the vendor landscape and separate those who talk a good game from those who can execute, perform, and solve real problems for enterprises? (Joshua Goldfarb)

Cybersecurity Mesh: Overcoming Data Security Overload

A significant cybersecurity challenge arises from managing the immense volume of data generated by numerous IT security tools, leading organizations into a reactive rather than proactive approach. (Torsten George)

The OODA Loop: The Military Model That Speeds Up Cybersecurity Response

The OODA Loop can be used both by defenders and incident responders for a variety of use cases such as threat assessment, threat monitoring, and threat hunting. (Etay Maor)

Vulnerabilities

Full Disclosure List Gets a Fresh Start – Reborn Under New Operator

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

SecurityWeek NewsMarch 26, 2014

Application Security

Source Code Security Firm Cycode Launches With $4.6 Million in Funding

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Eduard KovacsSeptember 24, 2019

Topics for 2023 Cybersecurity Insights Series

CISO Strategy

SecurityWeek Cyber Insights 2023 Series

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Kevin TownsendFebruary 13, 2023

Incident Response

Amazon’s Shuttering of Alexa Ranking Service Hits Cybersecurity Industry

Amazon has shut down Alexa.com.

Eduard KovacsMay 6, 2022

Data Breaches

ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Eduard KovacsMarch 28, 2023

CISO Conversations

CISO Conversations: HP and Dell CISOs Discuss the Role of the Multi-National Security Chief

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Kevin TownsendMay 10, 2023

IoT Security

16 Car Makers and Their Vehicles Hacked via Telematics, APIs, Infrastructure

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Ionut ArghireJanuary 5, 2023