We are increasing bounties in our bug bounty program

Nov 18, 2019 · 1 min read · Leave a comment
Heather Simpson GitLab profile

Since we opened our bug bounty program to the public in December 2018, our community of external security researchers submitted 1,282 reports and we paid out $515,899 in bounties.

This past September we told you we were iterating on how and when we pay out bounties. At that point we changed to a model where we pay out a part of the bounty right at the moment when a report is triaged. Now we're making more changes.

New! Increased bounties for critical and high severity reports

What’s better than money in your pocket faster? MORE money in your pocket faster.

Effective November 18, 2019, we are increasing the amount of bounty awards for new reports for critical and high vulnerabilities!

Critical (9.0 - 10.0) High (7.0-8.9) Medium (4.0-6.9) Low (0.1 - 3.9)
$20,000 $10,000 $3,000 $1,000

What isn’t changing:

• Program scope
• Severity criteria
• Rules of engagement
• Our SLAs for response, time to triage and time to bounty

The skills, depth of expertise and contributions of our security researcher community are strengthening the security of our product and our company in a very real way and we are excited to be able to recognize this with higher bounties. Thank you for your continued contributions and we look forward to your next report!

P.S. There’s still a little time left to participate in our bug bounty contest running October 1 through November 30. Report a bug and be entered to win a sweet piece of GitLab swag!

Photo by Banter Snaps on Unsplash

“We are raising bounties for critical and high severity reports in our @GitLab #bugbounty program. Get the details!” – Heather Simpson

Click to tweet

Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license