Blog Security The 2023 bug bounty year in review
Published on: January 4, 2024
3 min read

The 2023 bug bounty year in review

GitLab's bug bounty program had an incredible year. Learn more about the prizes awarded and the bug reporters who won them.

securitycheck.png

Each year, our Application Security team recaps the highlights from the GitLab Bug Bounty Program. Let's go through some statistics from the year that has passed, and celebrate five outstanding researchers from our program.

We wouldn't be where we are without the collaboration of our bug bounty community, and we consider these awards as hugely beneficial and money well spent. Let's dive into the details!

πŸ“ˆ GitLab Bug Bounty Program by the numbers πŸ“ˆ

  • Awarded a total of $843,639 USD in bounties across 318 valid reports.
  • Received a total of 1,277 reports from 511 researchers in 2023.
  • Out of the 511 researchers, 449 were new to our program. Hi, new researchers! We see you! πŸ‘‹
  • Our busiest month was June, when we paid out over $150,000!

Note: Data is accurate as of December 19th, 2023.

You can see program statistics updated daily on our HackerOne program page.

As is tradition by now, we want to highlight some of our wonderful reporters. Drum roll, please, for our five reporters of the year... πŸ₯

πŸ† 2023 reports of the year πŸ†

  • Most valid reports to our program

    • Congratulations to mateuszek who made 26 valid reports in 2023! A huge effort, which we really appreciate.
  • Most valid reports from a newcomer to our program

    • Welcome and congratulations to js_noob who made 19 valid reports in 2023!
  • Best written reports

    • For the second year in a row, yvvdwf takes the award for consistently writing fantastic reports. The reports are always easy to follow, short and clear steps to reproduce, which the team really appreciates.
  • Most innovative report

  • Most impactful finding

    • You don't get more impactful than getting a 10 in the world of CVSS – and pwnie delivered just that with the discovery of an arbitrary file read.

As a thank you for their hard work this year, we have organized something special for the researchers mentioned above - they will receive a surprise gift set, with our new GitLab Bug Bounty design (winners, make sure to check your HackerOne emails!).

✨ Other happenings in 2023 ✨

In 2023, we introduced 90-day challenges, where every 90 days(-ish) we roll out a new challenge.

Our first one was an unauthenticated 0-click remote code execution, and our current one (until 2024-02-20 00:00 UTC) is an account takeover challenge without any user interaction. If you manage this, then we’ll raise the bounty to $50,000, regardless of the CVSS! More details can be found on our HackerOne program page.

We also hosted another "Ask a hacker AMA" – this time with @0xn3va. Read the summary blog post, which includes a link to the recording.

We look forward to seeing your reports in 2024!

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

Find out which plan works best for your team

Learn about pricing

Learn about what GitLab can do for your team

Talk to an expert