2021: Smashing bugs and dropping names

Dec 14, 2021 · 6 min read · Leave a comment
Heather Simpson GitLab profile

2021 was the year where we started to adapt to our new normal, to get back up to speed on how to get work done in new surroundings, many of us remotely for the first time… not us here at GitLab, of course, as we’re all remote, but the rest of the ‘us’ that live and work across the world!

For us here at GitLab, there were definitely still changes 🎉 😉, but within our Application Security team, the group who manages our bug bounty program, 2021 meant program management changes, increased bounties 💥, and changes in how we score vulnerabilities and bounties 🐞.

But first, let’s take a look at 2021 by the numbers.

Metrics

We're now a managed program that pays more

In February of this year, we moved to a managed program on HackerOne. This moved the responsibility for initial triage and the legwork to reproduce new reports to the HackerOne team, and allowed our AppSec team to focus on the fixes, defense-in-depth improvements, code reviews, improved automation, and more. Rest assured though, our security engineers keep an eye on that HackerOne report queue and are ready to jump in when a report requires more in-depth knowledge of GitLab.

And, we’re grateful for every single one of those 752 reports submitted by the amazing security researchers and bug bounty hunters who contribute to our program. You truly do make us stronger and more secure. This is why we went ahead and raised bounties across all bounty ranges on November 22 of this year. We want to ensure we’re competitively rewarding and recognizing the reporters who contribute to our program.

We want you to know

We’re also still working to provide reporters with insight into our bug bounty program processes, wherever possible. In March, via a blog post, we took a deep dive into the GitLab Bug Bounty Council process we use to ensure collaboration and consistency across our severity and bounty assessments. We detailed the way we hold async council discussions and cast votes in GitLab issues and how we started assigning CVSS scores to each vulnerability as an iterative step to further CVSS utilization. You can see that we’ve since started using our own CVSS calculator to be even more transparent and consistent in our award process. We’ll take a closer look at our HackerOne process and CVSS-based scoring method in a blog coming next quarter.

Tips to help your hack

Beyond providing you with an inside look into some of our processes, we worked with some of the top hackers from our program to share video and blog content that includes tips for streamlining your hack via GitLab repositories, projects, issues, labels, and issue boards, details on the types of bugs they like to track, how, exactly, they approach bug hunting on GitLab, ways they ensure they fit hacking in with everything else life throws at them, and even how they choose the programs and features they are going to spend their time on. Alex Chapman, @ajxchapman on HackerOne, and William Bowling, @vakzz on HackerOne, were kind enough to spend some time in public-facing Ask Me Anything (AMA) sessions with us this year. If you’re looking for inspiration, or to learn something new, this series is well worth your time. Have an amazing hacker who contributes to our program that you’d like to see featured in an upcoming AMA? Let us know via twitter at @gitlab or in the comments below!

What’s in store for 2022?

We’ll be kicking off the new year by taking care of some house cleaning in the first few quarters – processing and spending time cleaning up our security backlog to resolve outstanding issues and minimize the chances of your next shiny, new report being a duplicate.

Beyond committing to continually sharing information and insights into our processes and program and highlighting the amazing depth of expertise and talent of the hackers in our program, we're also going to keep looking for ways to improve our program for all who participate, including the potential idea of increased program scope.

Now, onto the really good stuff (I mean, those increased bounties are pretty good, but… 🤑 ).

We announced this year’s bug bounty contest (which commemorates our third year as a public bug bounty program) on November 1 of this year and received 67 reports from 51 different individuals between November 1 and December 3, and 30 of them were from new reporters!

Thanks to all who contributed! 🙌

Congratulations to these five contest winners

Most reputation points from submissions to our program. Congratulations to @ashish_r_padelkar who led the pack in reputation points this period.

Most reputation points collected by a reporter new to our program. Congratulations to @jarij who nailed it with the highest reputation score of any new reporter to our program.

Best written report. Congratulations to @ajxchapman, who once again treated us with a clear and beautifully written report as we've come to expect from Alex. Look no further than his profile page to see other examples of that!

Most innovative report. Congratulations to Ngo Wei Lin of STAR Labs, who found a really clever way to use an intended feature and make a vulnerability out of it.

Most impactful finding. Congratulations to @0xn3va, who we believe with little strokes fell great oaks (or could have)!😉

Since it is GitLab’s policy to share details via public GitLab.com issue 30 days after releasing a fix, more details surrounding the research from the best written report, most innovative report, and most impactful finding category winners will be released in future security release blog posts.

We cannot wait to send you one of what's below (plus a cute little Elgato Stream Deck mini to help you streamline that hack). 😎

custom GitLab Mechanical Keyboard We’re looking forward to your next bug report, submitted with this Tanuki-powered Code V3 with gold-plated cherry mx brown switches.

Here’s to smashing more bugs, together, in 2022. 🥂

Happy hacking,

The GitLab Security team

“We take a look at some of the big things that happened in the @gitlab Bug Bounty program this last year and celebrate the contributions of the bug bounty hunters who make it all possible, including our contest winners!” – Heather Simpson

Click to tweet

Open in Web IDE View source