GitLab: Reducing the time to payout and a bug bounty anniversary contest

This guest post is contributed by Dennis Appelt at GitLab and was originally published here.

In just nine months since going public with our bug bounty program, our reporter community has made substantial contributions to the security and continued success of GitLab. Since going public, our community of external security researchers submitted 1016 reports and we paid out $395,000 in bounties.

We are very grateful for your contributions and have an open line for feedback regarding our bug bounty program.

You talked, we listened.

In fact, when we asked you how we could strengthen our bug bounty program, one of the top suggestions was to reduce the time to bounty payout. We’re sure both professional and casual bug bounty hunters enjoy receiving a paycheck earlier than later. So, we took your feedback and sat down to improve our program.

Going forward, we will pay out a part of the bounty right at the moment when a report is triaged, which is, on average, five days after the report is submitted. That means cash in your pocket faster. Reports with severity of medium, high, or critical will be awarded $1000 when the report is triaged. The remainder will be paid when the report is resolved.

At GitLab, we believe in the value of iteration. Paying out a partial bounty when the report is triaged is the first in a series of steps to speed up bounty payouts. We have many more ideas on how we can speed up bounty payouts and we’d like to move toward this with our community. If you have feedback regarding faster bounty payouts – or other areas where we can improve or grow – please share it with us! It’s this continual feedback loop and collaboration that will make us all successful.

Repeat reporters

Another key element that strengthens our program are our repeat reporters. We went to the 2019 HackerOne H1-702 event where we met with our top three hackers (since our bug bounty program launch through June 2019) to recognize their accomplishments and thank them for their impact on our program.

Our AppSec team with ngalog at HackerOne’s H1-702 event.

Our AppSec team with jobert at HackerOne’s H1-702 event.

Our AppSec team with fransrosen at HackerOne’s H1-702 event.

GitLab’s mission is, everyone can contribute. Not just the most experienced hackers, and not just the reporters finding the greatest quantity of bugs or even the most impactful bugs, but all of the reporters in between. Your findings make us stronger.

So, with that in mind, let us introduce our…

One-year anniversary hacking contest

Our one year anniversary of taking our bug bounty program public is right around the corner. To celebrate a very successful first year, we want to recognize the outstanding contributions from our reporter community with a little something special.

We are running a community hacking contest starting October 1 (12 am ET) until November 30, 2019 (12 pm ET). The top contributor in the following categories will receive a special reward:

Most reputation points from submissions to our program. This category is simple. Collect the most reputation points from submissions to our program and win!

Most reputations points collected by a reporter new to our program. Getting started with a new bug bounty program is difficult. We want to recognize the effort you put in.

Best written report. A well-written report goes a long way to demonstrate impact and to help us reproduce the problem.

Most innovative report. Sometimes reporters demonstrate great out-of-the-box thinking. For example, some reports group several low-severity findings into a high-impact vulnerability. We appreciate this creativity.

Most impactful finding. At the end of the day, an impactful discovery is what we all strive for.

The winners will be announced on December 12 via GitLab blog post. A contributor can win at most one category. Of course, regular bounties still apply to any of your findings. Here’s a hint on a little something extra that the winners will get:

What’s orange and purple and goes hackety, hack?

Happy hacking!