Since we opened our bug bounty program to the public in December 2018, our community of external security researchers submitted 1,282 reports and we paid out $515,899 in bounties.

This past September we told you we were iterating on how and when we pay out bounties. At that point we changed to a model where we pay out a part of the bounty right at the moment when a report is triaged. Now we're making more changes.

New! Increased bounties for critical and high severity reports

What’s better than money in your pocket faster? MORE money in your pocket faster.

Effective November 18, 2019, we are increasing the amount of bounty awards for new reports for critical and high vulnerabilities!

Critical (9.0 - 10.0) High (7.0-8.9) Medium (4.0-6.9) Low (0.1 - 3.9)
$20,000 $10,000 $3,000 $1,000

What isn’t changing:

• Program scope
• Severity criteria
• Rules of engagement
• Our SLAs for response, time to triage and time to bounty

The skills, depth of expertise and contributions of our security researcher community are strengthening the security of our product and our company in a very real way and we are excited to be able to recognize this with higher bounties. Thank you for your continued contributions and we look forward to your next report!

P.S. There’s still a little time left to participate in our bug bounty contest running October 1 through November 30. Report a bug and be entered to win a sweet piece of GitLab swag!

Photo by Banter Snaps on Unsplash

Try all GitLab features - free for 30 days

GitLab is more than just source code management or CI/CD. It is a full software development lifecycle & DevOps tool in a single application.

Try GitLab Free
Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license

Try GitLab risk-free for 30 days.

No credit card required. Have questions? Contact us.

Gitlab x icon svg