Why 2022 was a record-breaking year in bug bounty awards

Dec 19, 2022 · 4 min read · Leave a comment
Nick Malcolm GitLab profile

Each year, GitLab's Application Security team likes to recap the highlights from GitLab's bug bounty program.

It's been a busy 2022 for security teams across the industry, and we have been fortunate to receive a huge number of excellent reports that help us keep GitLab and its customers secure. With the increase we made to our bug bounty award amounts in November 2021 and increased researcher engagement, we've broken a new record by awarding over $1 million USD in bounties during 2022!

We wouldn't be where we are without the collaboration of our bug bounty community, and we consider these awards as hugely beneficial and money well spent.

2022 by the numbers

Note: Data is accurate as of December 16, 2022.

You can see program statistics updated daily on our HackerOne program page. That's also the place to get started with our program if you want in on the action!

Reports and reporters that stood out

Most valid reports to our program. Congratulations to @joaxcar who made 22 valid and now-resolved reports in 2022.

Most valid reports from a newcomer to our program. Welcome and congratulations to @albatraoz who made seven valid and now-resolved reports in 2022.

Best written report. Well done and thank you @yvvdwf for writing up a really interesting remote code execution bug. The walkthrough of the code and root cause, the scripts to create a dummy malicious server, and the collaboration with our AppSec team during validation was fantastic!

Most innovative report. High five, @vakzz, who captured the flag with a novel local git read vulnerability! He also did a neat followup to @yvvdwf's RCE mentioned above.

Most impactful finding. We're thrilled to recognize @taraszelyk, whose back-to-back information disclosure submissions led to a lot of positive security changes within GitLab. Thanks, Taras!

We will be getting in touch with these researchers to send out GitLab Swag Shop vouchers as a token of our appreciation.

Changes made in 2022

This year, we also continued to provide content that helps both researchers and other organizations running bug bounty programs:

As always, it is a real pleasure to work with the best security researchers our industry has to offer, including many newcomers. GitLab's AppSec team is committed to being an industry leader when it comes to the transparency of our bug bounty program and the awards given. Let us know how we're doing so we can iterate on our program processes.

Here's to 2023 - happy hacking!

“In 2022, @gitlab's bug bounty program awarded over $1 million USD! Read through the highlights and celebrate the contributions of the bug bounty hunters who make it all possible.” – Nick Malcolm

Click to tweet

Open in Web IDE View source