GitLab's Public Bug Bounty Program Turns One
This guest blog post was authored by GitLab Senior Application Security Engineer Juan Broullon and originally published on the GitLab security blog.
One year ago today, we launched our public bug bounty program, a crucial element in our strategy to secure our product and protect our company.
Bigger, stronger, more secure
It seems like only yesterday (ok, June 2014) that we launched our first program on HackerOne, a vulnerability disclosure initiative that would award security researchers swag in exchange for bugs. Once that program was mature enough – and our security team was prepared to manage it – the next natural step was a public bug bounty program which lead to a huge increase in report submissions and cash in reporters' pockets!
Over the past year we’ve started tackling some early lessons learned and evolved the way we communicate with our reporters, the way we reward bounties, and even what we’re paying for high and critical severity findings. But we’re not done learning yet. We want everyone to contribute and are always keen to hear about new ways to improve our bug bounty program so let us know if you have any suggestions.
As we look back at the past year, we’re proud to report that we’ve received a total of 1378 reports from 513 extremely talented security researchers from across the globe. We awarded a total of $565,650 in bounties to 171 researchers who reported valid vulnerabilities. The program kept our engineers on their toes, challenged and surprised our security team and helped us keep GitLab more secure.
We’re pretty excited about all this, but we know you’re waiting with baited breath to hear about some even more riveting news…
In October, we announced a bug bounty contest. From October 1 through November 30, we were looking for contributors to our program across the following areas:
- Most reputation points from submissions to our program
- Most reputations points collected by a reporter new to our program
- Best written report
- Most innovative report
- Most impactful finding
We just knew our reporters WOULD NOT DISAPPOINT.
We received 279 reports from 123 different individuals between October 1 and November 30, and 89 of them were from new reporters!
Thank you to all who contributed. We’re beyond excited to announce these winners:
- Most reputation points from submissions to our program. Congratulations to @xanbanx who leads the pack in reputation points this period.
- Most reputations points collected by a reporter new to our program. Congratulations to @peet86 who had the highest reputation score for a new reporter to our program.
- Best written report. Congratulations to @rpadovani, your numerous Elasticsearch reports which were consistently clear and concise.
- Most innovative report. Congratulations to @ngalog, the technique you used to disclose private data on GitLab Pages was unique and creative.
- Most impactful finding. Congratulations @nyangawa of Chaitin Tech for your report on a complex path traversal bug which lead to remote code execution.
Since it is GitLab’s policy to share details via public GitLab.com of all issues 30 days after releasing a fix, the details of our best written report, most innovative report and most impactful finding winners will be released in a future blog post.
And, to give you a peep of the custom swag our five winners will be receiving:
61 mechanical keys to add some clickety clack to your hackety hack. You'll want to ditch the chiclets and get with these gold-plated cherry mx switches.
A Tanuki-powered Poker 3. We’re pretty sure this 60% mechanical keyboard will help you keep it 💯.
To everyone who has contributed to our program in the past year, thank you for making it a success.
Despite a very impressive 2019, we know there’s still a lot of room for improvement in our program. We plan to continue to grow and enhance our bug bounty efforts in the coming year so keep an eye on this blog for updates.
The GitLab Security team