2020 through a bug bounty lens

What a long, strange trip 2020 has been. It started with hitting the million dollar bounties paid milestone in our HackerOne program, appearing at #6 on HackerOne’s 2020 Top Ten Public Bug Bounties program list (up from our #10 spot from 2019) and having our approach to security and bug bounty program featured in this HackerOne customer story. And then, like many across the globe, our year both screeched to a halt and raged on, as we all moved forward the best that we possibly could throughout a tumultuous year with a ton of eye-opening and unbelievable global happenings spanning the realm of those we’d soon forget, to those we can and should learn and grow from.

One thing remained a constant though: The awesomely talented security researchers who submit to our program kept finding small bugs and big bugs, and our teams kept on triaging, testing, and fixing them.

We’re ending 2020 with a look back at our bug bounty program and the people who have made it a success by making our product and company more secure: our bug bounty researchers!

2020 by the numbers

This year we:

• Received a total of 1,070 reports from 505 security researchers
• Awarded a total of $380,800 USD in bounties to 62 different researchers reporting valid vulnerabilities
• Resolved 259 reports and made 131 of those reports public.
• Had 163 security researchers submit multiple reports, meaning their first engagement with us was a positive one.

Note: Data pulled is accurate as of Dec. 7, 2020.

Shout out to our Bug Bounty Program manager, James Ritchey for providing these program stats. 📣

Bug bounty program updates

We also rolled out a few new programs and initiatives to recognize and benefit contributors to our program.

This year, we:

• Reduced the time to bounty in our program from 90 days to 45 days max. We intend to continue iterating on this so that we can shorten this time frame further.
• Started a new researcher-focused blog series, called (creatively), Ask a Hacker. See our first blog feature with @rpadovani. You can check him out on GitLab too.
• Kicked off a new Ask Me Anything (AMA) series with some of our top bug bounty hunters. You can see our first AMA with Riccardo Padovani here.
• Began reporting our monthly program metrics and give shout-outs to the months’ high earners or critical bug contributors! See the metrics we reported out last month.

Together, we are stronger 💪.

Now, onto the really good stuff. We’re excited to announce the winners of our hacking contest, which commemorates our second year as a public bug bounty program. 🎉 🥁 🐛

We announced a bug bounty contest in October and received 138 reports from 87 different individuals between October 1 and November 30, and 55 of them were from new reporters!

Thanks to all who contributed! 🙌

Congratulations to these 5 contest winners

Most reputation points from submissions to our program. Congratulations to @vaib25vicky who was the frontrunner for reputation points this period.

Most reputation points collected by a reporter new to our program. Congratulations to @fsky who clinched the highest reputation score of any new reporter to our program.

Best written report. Congratulations to @afewgoats, your DoS report outlined multiple attack scenarios, provided us with a cool script to reproduce, and was clever and well written!

Most innovative report. Congratulations to @anshraj_srivastava, your discovery surrounding private repositories was a first of its kind in our program.

Most impactful finding. Congratulations @ledz1996, your report on stealing an API OAuth token was eye-opening and innovative.

Since it is GitLab’s policy to share details via public GitLab.com issue 30 days after releasing a fix, more details surrounding the research from the best written report, most innovative report, and most impactful finding category winners will be released in future security release blog posts.

We cannot wait to send you one of these:

This Tanuki-powered Code V3 with gold-plated cherry mx brown switches will light up your hackety hack.

We know though, that 2020 has not been all cherry-plated switches. It's been a trying year for all of us, with plenty of graphs trending in all the wrong ways. There have been highlights though and this program has been a continued source of fresh, expert perspectives, aha moments and positive energy from the sheer skill and innovation the security researchers bring to our program. We’re grateful to have your continued contributions and partnership in making our product and company more secure. Here’s to a better 2021, together.

Happy hacking,

The GitLab Security team