Since we opened our bug bounty program to the public in December 2018, our community of external security researchers submitted 1,282 reports and we paid out $515,899 in bounties.
This past September we told you we were iterating on how and when we pay out bounties. At that point we changed to a model where we pay out a part of the bounty right at the moment when a report is triaged. Now we're making more changes.
New! Increased bounties for critical and high severity reports
What’s better than money in your pocket faster? MORE money in your pocket faster.
Effective November 18, 2019, we are increasing the amount of bounty awards for new reports for critical and high vulnerabilities!
| Critical (9.0 - 10.0) | High (7.0-8.9) | Medium (4.0-6.9) | Low (0.1 - 3.9) |
|---|---|---|---|
| $20,000 | $10,000 | $3,000 | $1,000 |
What isn’t changing:
• Program scope
• Severity criteria
• Rules of engagement
• Our SLAs for response, time to triage and time to bounty
The skills, depth of expertise and contributions of our security researcher community are strengthening the security of our product and our company in a very real way and we are excited to be able to recognize this with higher bounties. Thank you for your continued contributions and we look forward to your next report!
P.S. There’s still a little time left to participate in our bug bounty contest running October 1 through November 30. Report a bug and be entered to win a sweet piece of GitLab swag!
Photo by Banter Snaps on Unsplash
