Give it a go: Capture the flag for $20K USD in our bug bounty program

Aug 24, 2022 · 3 min read · Leave a comment
Heather Simpson GitLab profile

📣 We're issuing a challenge to all the amazing bug bounty hunters out there who make products and organizations like ours more secure. 👇

Capture the Flag (CTF) first and a $20,000 USD bounty is yours.

It's that simple. The idea… not capturing the flag… at least that's our hope. But show us what you got, please. 😛

Why are we doing this?

Our aim with this CTF is to tackle potential vulnerabilities with lower CVSS scores but high business impact that may not get as much attention in our bug bounty program. We want to show those vulns the love through this CTF.

How do you get started?

We've created a private group with a private project that contains a file with a flag. Be the first person to use a permission-related vulnerability to bypass access control, without user interaction, read the flag. and voilà, the $20,000 USD bonus is yours. 🎉 You can get all the details and requirements in our policy: https://hackerone.com/gitlab.

What else do you need to know?

We thought you might have questions, so we've created a few FAQ.

Q: How is this different from other CTFs?
A: There is no known solution yet :). Also, this is a single, ongoing challenge. The sole purpose here is to capture a flag inside a private project of a private group on GitLab.com, with the intent of demonstrating the ability to expose a real-world vulnerability. Similar to most CTFs, we're offering a prize, and valid bug bounty reports of permission-related vulnerabilities that contain this flag will receive a bonus of $20,000 USD.

Q: How will I know when someone has already captured the flag?
A: Currently, there is one (1) flag available. The bonus will be awarded to the first person to find the flag and file a report on our Bug Bounty Program with HackerOne, including the steps to successfully reproduce. We'll update our policy on HackerOne as soon as the flag is found. You can stay informed by subscribing to program updates on our bug bounty program with HackerOne.

Q: Can the flag be captured multiple times?
A: The first valid report with the flag will be awarded the bonus, and, at that time, the CTF will be paused. After testing and improving our defenses, we will re-enable the flag and update our bug bounty program policy to indicate the CTF is open again.

Q: Do I actually have to obtain the flag, or just prove that I can obtain the flag?
A: Yes, you must obtain the flag and include it in a report of a permission-related vulnerability that can bypass access control without user interaction. We have provided the group name (gitlab-h1-bbp-ctf-group) and group ID (55842926) in order to make it clear where the flag can be found.

Q: If I capture the flag, do I get the $20K USD bounty plus any applicable regular bounties?
A: Yes, but please keep in mind that the CTF bonus is specifically for permission-related vulnerabilities that can bypass access control without user interaction. Also, please note that the use of a leaked administrator-privileged token is not eligible for the CTF, but is still eligible for our program's maximum bounty payout.

Stay updated on the CTF

Be sure to subscribe 🔔 to our program on HackerOne, as we'll update our policy each time the flag is captured (which means we'll need to test, fix, and reset) as well as when the flag is available again.

Happy hacking and we look forward to your next report!

Cover image by Sigmund on Unsplash

“Here’s a challenge for all the amazing #bugbounty hunters out there who make products and organizations like @gitlab more secure. Capture the flag first and a $20K USD bounty is yours.” – Heather Simpson

Click to tweet

Open in Web IDE View source