Each year, GitLab's Application Security team likes to recap the highlights from GitLab's bug bounty program.
It's been a busy 2022 for security teams across the industry, and we have been fortunate to receive a huge number of excellent reports that help us keep GitLab and its customers secure. With the increase we made to our bug bounty award amounts in November 2021 and increased researcher engagement, we've broken a new record by awarding over $1 million USD in bounties during 2022!
We wouldn't be where we are without the collaboration of our bug bounty community, and we consider these awards as hugely beneficial and money well spent.
2022 by the numbers
- Awarded a total of $1,055,770 USD in bounties across 221 valid reports, up from $337,780 last year!
- Three researchers earned $100,000+ USD across their multiple reports, and another seven earned over $20,000 USD.
- Received a total of 920 reports from 424 researchers in 2022.
- Resolved 158 valid reports and made 94 public - this year, we received a number of information leak reports which, unlike vulnerabilities, don't need a public GitLab issue.
- Had 138 security researchers submit more than one report this year, signaling a positive commitment to our program.
- Awarded eight GitLab Ultimate licenses to researchers who submitted three or more valid reports.
Note: Data is accurate as of December 16, 2022.
You can see program statistics updated daily on our HackerOne program page. That's also the place to get started with our program if you want in on the action!
Reports and reporters that stood out
Most valid reports to our program. Congratulations to @joaxcar who made 22 valid and now-resolved reports in 2022.
Most valid reports from a newcomer to our program. Welcome and congratulations to @albatraoz who made seven valid and now-resolved reports in 2022.
Best written report. Well done and thank you @yvvdwf for writing up a really interesting remote code execution bug. The walkthrough of the code and root cause, the scripts to create a dummy malicious server, and the collaboration with our AppSec team during validation was fantastic!
Most innovative report. High five, @vakzz, who captured the flag with a novel local git read vulnerability! He also did a neat followup to @yvvdwf's RCE mentioned above.
Most impactful finding. We're thrilled to recognize @taraszelyk, whose back-to-back information disclosure submissions led to a lot of positive security changes within GitLab. Thanks, Taras!
We will be getting in touch with these researchers to send out GitLab Swag Shop vouchers as a token of our appreciation.
Changes made in 2022
- We adopted HackerOne's Gold Standard Safe Harbor statement. See this announcement from HackerOne.
- We introduced a $20,000 USD capture the flag bonus, which was captured once.
- We created HackerOne Questions, a dedicated space for getting in touch with the AppSec team outside of HackerOne reports.
- Created "Reproducible Vulnerabilities", a brand-new learning resource in our handbook structured with expandable hint sections so that you can challenge yourself and learn how to find real security bugs.
- Continued to iterate transparently on our HackerOne triage process, and on our Bug Bounty Calculator, including standardized amounts for non-vulnerability reports like information leaks.
This year, we also continued to provide content that helps both researchers and other organizations running bug bounty programs:
- GitLab Blog: "Want to start hacking? Here's how to quickly dive in"
- GitLab Blog: "How GitLab handles security bugs (and why it matters)"
- YouTube: NullCon 2022 Video Panel: "CXO Panel: Bug Bounty? Great! Now What?"
As always, it is a real pleasure to work with the best security researchers our industry has to offer, including many newcomers. GitLab's AppSec team is committed to being an industry leader when it comes to the transparency of our bug bounty program and the awards given. Let us know how we're doing so we can iterate on our program processes.
Here's to 2023 - happy hacking!
