Each year, our Application Security team recaps the highlights from the GitLab Bug Bounty Program. Let's go through some statistics from the year that has passed, and celebrate five outstanding researchers from our program.
We wouldn't be where we are without the collaboration of our bug bounty community, and we consider these awards as hugely beneficial and money well spent. Let's dive into the details!
π GitLab Bug Bounty Program by the numbers π
- Awarded a total of $843,639 USD in bounties across 318 valid reports.
- Received a total of 1,277 reports from 511 researchers in 2023.
- Out of the 511 researchers, 449 were new to our program. Hi, new researchers! We see you! π
- Our busiest month was June, when we paid out over $150,000!
Note: Data is accurate as of December 19th, 2023.
You can see program statistics updated daily on our HackerOne program page.
As is tradition by now, we want to highlight some of our wonderful reporters. Drum roll, please, for our five reporters of the year... π₯
π 2023 reports of the year π
-
Most valid reports to our program
- Congratulations to mateuszek who made 26 valid reports in 2023! A huge effort, which we really appreciate.
-
Most valid reports from a newcomer to our program
- Welcome and congratulations to js_noob who made 19 valid reports in 2023!
-
Best written reports
- For the second year in a row, yvvdwf takes the award for consistently writing fantastic reports. The reports are always easy to follow, short and clear steps to reproduce, which the team really appreciates.
-
Most innovative report
- joaxcar dug into some dark, strange places to find a weird Safari edge case. Thank you for your sleuthing!
-
Most impactful finding
- You don't get more impactful than getting a 10 in the world of CVSS β and pwnie delivered just that with the discovery of an arbitrary file read.
As a thank you for their hard work this year, we have organized something special for the researchers mentioned above - they will receive a surprise gift set, with our new GitLab Bug Bounty design (winners, make sure to check your HackerOne emails!).
β¨ Other happenings in 2023 β¨
In 2023, we introduced 90-day challenges, where every 90 days(-ish) we roll out a new challenge.
Our first one was an unauthenticated 0-click remote code execution, and our current one (until 2024-02-20 00:00 UTC) is an account takeover challenge without any user interaction. If you manage this, then weβll raise the bounty to $50,000, regardless of the CVSS! More details can be found on our HackerOne program page.
We also hosted another "Ask a hacker AMA" β this time with @0xn3va. Read the summary blog post, which includes a link to the recording.
We look forward to seeing your reports in 2024!