Group Direction - Anti-Abuse

Maintained by:

The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features or functionality remain at the sole discretion of GitLab Inc.

Overview

Create protections against abusive activiy within a GitLab instance. This includes abuse, spam, and other activity for users within a GitLab instance.

Goal

Protect GitLab instances from user behavior that disrupts productivity or an organization's ability to build and deploy code.

Mission

We make abuse manageable.

Our goal is not to stop abuse. Barriers to stop abusive behavior have an exponentially diminishing rate of return. The more barriers that you impose to stop abuse the more you discourage legitimate usage. As a result, efforts to stop abuse become more costly than the abuse itself. Our goal is to surface abuse before it causes disruption and allow our automated systems, the Trust and Safety team, or the admin of the self-managed instance to take the correct action for that abuse – or correct any action that was taken in error

Our Responsibilities

Implement CAPTCHA to prevent malicious programatic actions
Implement User Trust Score to inform rate or usage limiting
Introduce barriers to entry at signup to prevent repetitive abusers from accessing the platform
Maintain Pipeline Validation Service (PVS) to prevent those users who make it through our barriers from utilizing the GitLab platform in a disruptive or malicious way.

Ownership

CAPTCHA

Utility
- We use CAPTCHA to prevent programmable actions with the UI.
Stakeholders
- Trust and Safety

User Trust Score

Utility
- We use the User Trust Score to gauge the intent of a user. The score should predict how likely a user is to utilize the platform in a malicious way. Conversely, the User Trust Score should also predict how likely the user is to become a valuable user of the platform.
Stakeholders
- Security Automation
- Growth
- Product Analytics
- Trust & Safety

Barriers to entry

Utility
- The majority of abuse stems from new users. Barriers to entry are a mechanism to prevent repetitive abuse by placing additional barriers in front of users that we determine could be at high risk of perpetrating abuse.
Stakeholders
- Growth

PVS (Pipeline validation service)

Utility
- PVS monitors abusive behavior within pipelines to prevent users from utilizing pipelines for other-than-intended use cases.
Stakeholders
- Enablement

Confidential issues

A number of issues are intentionally confidential despite our value of transparency. This is because we don't want to make it obvious to abusers the exact details of our controls. We aren't relying on "security by obscurity"; however, we also don't want to make it easier for the abusers.

The Plan

What We Recently Completed

Initial implementation of Pipeline Validation Service
Various changes to GitLab.com to help mitigate Cryptomining abuse. Read more about coming changes.

What's next for us

See internal handbook

GitLab team members can reach Anti-Abuse via:

Slack: #g_anti-abuse channel

Last Reviewed: 2021-10-26
Last Updated: 2021-10-26