2020 through a bug bounty lens

Dec 14, 2020 · 4 min read · Leave a comment
Heather Simpson GitLab profile

What a long, strange trip 2020 has been. It started with hitting the million dollar bounties paid milestone in our HackerOne program, appearing at #6 on HackerOne’s 2020 Top Ten Public Bug Bounties program list (up from our #10 spot from 2019) and having our approach to security and bug bounty program featured in this HackerOne customer story. And then, like many across the globe, our year both screeched to a halt and raged on, as we all moved forward the best that we possibly could throughout a tumultuous year with a ton of eye-opening and unbelievable global happenings spanning the realm of those we’d soon forget, to those we can and should learn and grow from.

One thing remained a constant though: The awesomely talented security researchers who submit to our program kept finding small bugs and big bugs, and our teams kept on triaging, testing, and fixing them.

We’re ending 2020 with a look back at our bug bounty program and the people who have made it a success by making our product and company more secure: our bug bounty researchers!

2020 by the numbers

This year we:

Note: Data pulled is accurate as of Dec. 7, 2020.

Shout out to our Bug Bounty Program manager, James Ritchey for providing these program stats. 📣

Bug bounty program updates

We also rolled out a few new programs and initiatives to recognize and benefit contributors to our program.

This year, we:

Together, we are stronger 💪.

Now, onto the really good stuff. We’re excited to announce the winners of our hacking contest, which commemorates our second year as a public bug bounty program. 🎉 🥁 🐛

We announced a bug bounty contest in October and received 138 reports from 87 different individuals between October 1 and November 30, and 55 of them were from new reporters!

Thanks to all who contributed! 🙌

Congratulations to these 5 contest winners

Most reputation points from submissions to our program. Congratulations to @vaib25vicky who was the frontrunner for reputation points this period.

Most reputation points collected by a reporter new to our program. Congratulations to @fsky who clinched the highest reputation score of any new reporter to our program.

Best written report. Congratulations to @afewgoats, your DoS report outlined multiple attack scenarios, provided us with a cool script to reproduce, and was clever and well written!

Most innovative report. Congratulations to @anshraj_srivastava, your discovery surrounding private repositories was a first of its kind in our program.

Most impactful finding. Congratulations @ledz1996, your report on stealing an API OAuth token was eye-opening and innovative.

Since it is GitLab’s policy to share details via public GitLab.com issue 30 days after releasing a fix, more details surrounding the research from the best written report, most innovative report, and most impactful finding category winners will be released in future security release blog posts.

We cannot wait to send you one of these:

custom GitLab Mechanical Keyboard This Tanuki-powered Code V3 with gold-plated cherry mx brown switches will light up your hackety hack.

We know though, that 2020 has not been all cherry-plated switches. It's been a trying year for all of us, with plenty of graphs trending in all the wrong ways. There have been highlights though and this program has been a continued source of fresh, expert perspectives, aha moments and positive energy from the sheer skill and innovation the security researchers bring to our program. We’re grateful to have your continued contributions and partnership in making our product and company more secure. Here’s to a better 2021, together.

Happy hacking,

The GitLab Security team

“We take a look back at the year in bugs and bounties and celebrate the #bugbounty researchers and contributions that make us more secure.” – Heather Simpson

Click to tweet

Open in Web IDE View source