Security is our top priority at GitLab, and like many software companies, we believe security "is everyone's responsibility". The more GitLab team and community members are involved, the better. However, we're also scaling quickly, delivering new and large features often and need to stay focused and aligned with our value of results.
Because of this focus and pace, blind spots can develop when it comes to security, so extra hands, minds, and eyes bring immense value. All security contributions to our documentation, product, and workflow are "actions" we want to recognize and programs that celebrate those who go the extra-mile, think out-of-the-box, or cautiously assess threats and risk, are a great reminder that everyone can contribute to the ongoing effort that is security. This is why we created the Security Awards Program.
How we built a Security Awards Program using GitLab values
The program, opened in 2020, is a simple construct: Every valid submission (or action) earns the reporter points and recognition, and prizes are awarded at the end of each quarter. All non-Security team members and community members are eligible to win a grand prize at the end of the year, where the individual with the highest number of points is awarded the top prize.
Efficiency: Start boring
At GitLab, every new project is an opportunity to live and apply our values. My personal favorite, efficiency, helped us start with a boring solution. The minimum achievement to start the program was to define a basic rule, and document it in our handbook. Nothing more. From this initial merge request, we kicked off program communications and experimented with the first results. The feedback loop was extremely short, and adjustments were made accordingly.
Iteration: Improve it as you go along
Because a successful program needs to scale with time, iteration is key to maintain momentum and quickly improve. The first security award nominations arrived soon after we added the concept of the program to our handbook. To easily keep track of them and enable quick updates, we created a simple markdown file hosted in a specific project. While everything could have stayed the same, we knew automation would help us avoid human errors and ensure the program would scale. Work done this past quarter means the nominations are now fetched weekly, the associated data updated and validated, and everything is published automatically.
Another recent iteration in our Security Awards Program is the move to automatically reward security merge requests (merged) that fix a security bug. Our product is not exempt from bugs or security issues and we saw the number of S3s and S4s (learn more about how we apply severity labels) rising lately. Adding automatic rewards to target and incentivize identifying these security issues is predictable, simple to employ, and helps us reduce security bugs.
Collaboration: Everyone adds value
To be successful, we knew we needed a thriving program that enabled collaboration across the organization and beyond. We work with our AppSec team to identify the initiatives we want to encourage and incentivize, as well as on the overall evaluation of submitted "actions". The workflow here is simple: Once it is identified, an "action" (an issue or a merge request) is labeled with a "nomination" label. Every week, the nominations are imported into a single awards council issue in GitLab for asynchronous discussion. Each nomination is a thread in the council issue, and we use award emojis to set the number of votes. Votes translate to points awarded to the author of the "action".
We engage with nominees when they're awarded, extending the visibility of the program and providing an instant feedback loop.
Diversity, inclusion and belonging: New, better ideas
Remember that at GitLab, everyone can contribute. Contributions from the wider GitLab community are essential to maintaining the level of security we expect for our product. The broad and diverse talents of the global GitLab community and our diversity, inclusion, and belonging value drive inclusivity into this program and we're proud that community contributions play a key role in this program. We also have multiple categories for submissions to encourage participation from engineers and non-engineers alike to ensure we have diversity of thought and innovation.
👉 We want your contributions! 🙌
There are multiple ways to contribute and you can see them outlined in this contribution guide. Any actions that contribute to the security of GitLab are considered and have the potential to be recognized in our Security Awards Program.
Note: For bug bounty hunters interested in researching security vulnerabilities on our platform, we have a bug bounty program on HackerOne where security researchers are invited to submit security bug reports directly for bounties. Those submissions are not considered under this program, but are still really important to us.
Results: Security fixes and awareness
This one is easy. The more bugs we spot and fix, the stronger our product is for our customers, the broader community, and our own teams, who use GitLab daily. Beyond this, the Security Awards Program is a great way to spread knowledge about what we're prioritizing on the Security team and the GitLab issues we use for awards council voting and discussion are a nice weekly resource to generate awareness of changes that matter!
Transparency: Increases visibility and collaboration
The final GitLab value at play here is – last but not least – transparency. It's been widely acknowledged that transparency and security don't always easily mix. And, sure, we admit it's more difficult, but not impossible. Our Security Awards Program is meant to be as transparent as possible, while ensuring no confidential information is leaked through our pipelines. We also try to dogfood as much as we can here, so the transparency around this program presents a great opportunity to experiment with our new threat modeling process. This careful review allows us to keep the source code open and make the whole process available in the handbook. While the "actions" rewarded are often confidential since they are related to vulnerabilities or security issues, the leaderboard with the awarded people is completely public.
Our journey to recognize security initiatives is just getting started. Fleshed out in the spirit of our values, our Security Awards Program is showing constant progress and results, leading to security awareness, engagement, and a more secure organization and product.
Congrats and thank you to our current top 10 contributors 🎉 :
| Contributor | Rank in their category | Points | | @cablett | 1 | 600 | | @alexkalderimis | 2 | 500 | | @engwan | 3 | 480 | | @whaber | 4 | 400 | | @alexpooley | 5 | 400 | | @theoretick | 6| 400 | | @sabrams | 7 | 300 | | @tmaczukin | 8 | 300 | | @nolith | 1 | 300 | | @emanuele.divizio | 1 | 300 |
How do you reward and recognize security fixes in your organization? Is there something more or different we could do in our Security Awards Program? Tell us in the comments!
