Blog Security Why 2022 was a record-breaking year in bug bounty awards
Published on: December 19, 2022
4 min read

Why 2022 was a record-breaking year in bug bounty awards

Find out about the researchers who together earned more than $1 million USD in prizes and their bug hunting contributions.

inside-gitLab-public-bug-bounty-program.png

Each year, GitLab's Application Security team likes to recap the highlights from GitLab's bug bounty program.

It's been a busy 2022 for security teams across the industry, and we have been fortunate to receive a huge number of excellent reports that help us keep GitLab and its customers secure. With the increase we made to our bug bounty award amounts in November 2021 and increased researcher engagement, we've broken a new record by awarding over $1 million USD in bounties during 2022!

We wouldn't be where we are without the collaboration of our bug bounty community, and we consider these awards as hugely beneficial and money well spent.

2022 by the numbers

  • Awarded a total of $1,055,770 USD in bounties across 221 valid reports, up from $337,780 last year!
  • Three researchers earned $100,000+ USD across their multiple reports, and another seven earned over $20,000 USD.
  • Received a total of 920 reports from 424 researchers in 2022.
  • Resolved 158 valid reports and made 94 public - this year, we received a number of information leak reports which, unlike vulnerabilities, don't need a public GitLab issue.
  • Had 138 security researchers submit more than one report this year, signaling a positive commitment to our program.
  • Awarded eight GitLab Ultimate licenses to researchers who submitted three or more valid reports.

Note: Data is accurate as of December 16, 2022.

You can see program statistics updated daily on our HackerOne program page. That's also the place to get started with our program if you want in on the action!

Reports and reporters that stood out

Most valid reports to our program. Congratulations to @joaxcar who made 22 valid and now-resolved reports in 2022.

Most valid reports from a newcomer to our program. Welcome and congratulations to @albatraoz who made seven valid and now-resolved reports in 2022.

Best written report. Well done and thank you @yvvdwf for writing up a really interesting remote code execution bug. The walkthrough of the code and root cause, the scripts to create a dummy malicious server, and the collaboration with our AppSec team during validation was fantastic!

Most innovative report. High five, @vakzz, who captured the flag with a novel local git read vulnerability! He also did a neat followup to @yvvdwf's RCE mentioned above.

Most impactful finding. We're thrilled to recognize @taraszelyk, whose back-to-back information disclosure submissions led to a lot of positive security changes within GitLab. Thanks, Taras!

We will be getting in touch with these researchers to send out GitLab Swag Shop vouchers as a token of our appreciation.

Changes made in 2022

This year, we also continued to provide content that helps both researchers and other organizations running bug bounty programs:

As always, it is a real pleasure to work with the best security researchers our industry has to offer, including many newcomers. GitLab's AppSec team is committed to being an industry leader when it comes to the transparency of our bug bounty program and the awards given. Let us know how we're doing so we can iterate on our program processes.

Here's to 2023 - happy hacking!

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

Find out which plan works best for your team

Learn about pricing

Learn about what GitLab can do for your team

Talk to an expert