Our 3rd annual bug bounty contest: the swagtastic sequel to the sequel

Nov 1, 2021 · 5 min read · Leave a comment
Heather Simpson GitLab profile

Our favorite time of the year is here! That time of year when we try to pause 😅 , reflect, and look back at the year’s accomplishments 🙌 .

For our Application Security group here at GitLab, this means we’re looking back on the efforts we’ve made to secure the GitLab application. A big part of securing our product comes from the contributions of extremely talented bug bounty hunters across the globe who work year round to seek and identify bugs in our platform. So far this year we had 670 submissions from 359 different reporters.

Thank you to everyone who has contributed this year via our HackerOne program.

🎉 Increased bounties across all bounty ranges 🎉

New! Updated November 22, 2021 We value the innovative and hugely impactful contributions made by security researchers through our bug bounty program and want to ensure we’re competitively rewarding and recognizing those contributions. Because of this, we’re raising our bounties for new reports submitted after 16:00 UTC November 22, 2021.

Critical High Medium Low
$20,000 - $35,000 $5,000 - $15,000 $1,000 - $2500 $100 - $750

Standardizing bounty calculations

Also of note, we’re working to further standardize the way we calculate both severities and bounties with our new CVSS calculator developed by Application Security team member, Michael Henriksen. This calculator allows us to be more transparent and consistent in our award process. We plan to dive deeper into our HackerOne process and CVSS-based scoring method in a blog next quarter.

And, to celebrate our bug bounty hunting community and our third year as a public bug bounty program, we’re holding a Bug Bounty contest starting November 1 until December 3, 2021!

Three-year anniversary hacking contest



Our community hacking contest kicks off November 1 at 4 am UTC and closes on December 3, 2021 at 4 pm UTC. Just find and report a bug to our HackerOne bug bounty program and you're entered to win. The top contributor in the following categories will receive a sweet piece of custom GitLab swag:

Most reputation points from submissions to our program. Collect the most reputation points from submissions to our program and win!

Most reputation points collected by a reporter new to our program. Getting started with a new bug bounty program is difficult. This one goes out to all the new reporters out there.

Best written report. See above. A well-written report goes a long way to demonstrate impact and to help us reproduce the problem efficiently and accurately.

Most innovative report. Sometimes reporters demonstrate true out-of-the-box thinking in their approach to finding bugs. We appreciate this creativity.

Most impactful finding. At the end of the day, these high-risk, high-reward vulnerabilities are what we’re all looking for.

The winners will be announced on Dec. 14, 2021 via a GitLab blog post and on Twitter. A contributor can win at most one category. Of course, regular bounties still apply to any of your findings.

Need some inspiration?

We release new features on the 22nd of every month. Might we suggest learning more about our release process and checking out the latest monthly release blog post for some inspiration? 😉

You can get tips on what our team looks for in bug bounty reports, by reading “Our top tips for better bug bounty reports“.

Learn from some of the best

👉 In our blog, Riccardo Padovani, @rpadovani on HackerOne, shared advice they’d give someone looking to start participating as a researcher in a bug bounty program.

Take note of features that are interesting to you. Keep notes where you can review what you have already done, and what you have already found. This will be useful if you step away and come back to a target. It takes time and it takes luck. Do not leave your day job until you are well on your way, and remember to set aside some money to pay your taxes when they are due!

🔎 In this clip from his GitLab AMA, Riccardo talks about how he approaches bug hunting on GitLab.

⏱ In this clip from his GitLab AMA, Alex Chapman, @ajxchapman on HackerOne, talks about how he efficiently and effectively fits bug bounty hunting in with all of life’s other priorities. You can learn more about his approach in our blog post, “How do bug bounty hunters use GitLab to help their hack?“.

👀 See how William Bowling, @vakzz on HackerOne, responded to a question around how he chooses which programs and features he’ll focus his bug bounty hunting efforts on in a recent GitLab AMA.

🕵️ And, check out this video to see what top bug bounty hunter, contributor, and GitLab alumni, Ron Chan, (@ngalog on HackerOne) shares as his “Secret to finding critical security issues on GitLab”?

If you’re wondering what the custom GitLab swag might be you can check out 2020’s giveaway (and the winners) and peep what we gave away in 2019, and who won. Know that we want you to contribute in style. 😎

Happy hacking!

“Clickety clack, it’s a great time to hack! Report a bug to the @gitLab #BugBounty program on @Hacker0x01 before Dec. 3 and you'll be entered to win a sweet piece of custom swag. Oh, and newly raised bounties across the board!” – Heather Simpson

Click to tweet

Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license