Blog Engineering GitLab's HackerOne Bug Bounty Program is public today
Published on: December 12, 2018
2 min read

GitLab's HackerOne Bug Bounty Program is public today

With 200 reported vulnerabilities and $200,000 awarded already, our bug bounty program is now public and open for your contributions.

security-cover.png

Today, we are happy to announce that our HackerOne bug bounty program is now public. Since we opened our private bounty program in December 2017, we have been preparing to take this program public by working through some of the challenges of managing a bug bounty program. We have awarded over $200,000 in bounties since the bug bounty program went live last year. This means we mitigated nearly 200 vulnerabilities reported to us.

Our first response time to newly submitted findings has decreased significantly, from an average of 48+ hours to just seven. That is a significant reduction achieved through security automation, and will help us scale, as well as better engage the hacker community.

On average, our mean time to mitigation (MTTR) for critical security issues is currently fewer than 30 days. Our current goal is to now focus on bringing the MTTR metric for medium-high security issues to under 60 days, on average.

Yesterday, we released a webinar to announce our plans to be a public bug bounty program. In managing a public bug bounty program, we will now be able to reward our hacker community for reporting security vulnerabilities to us directly through the program.

The past year has been a great journey of learning about managing such a program, and we have plans to further expand upon our public program in 2019 and beyond. We would also like to acknowledge some of our top contributors from the hacker community, including ngalog, jobert, and fransrosen.

Check out the program to see how you can contribute!

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

Find out which plan works best for your team

Learn about pricing

Learn about what GitLab can do for your team

Talk to an expert