Responsible Disclosure Policy

Please email to report any security vulnerabilities. We will acknowledge receipt of your vulnerability report the next business day and strive to send you regular updates about our progress. If you're curious about the status of your disclosure please feel free to email us again. If you want to encrypt your disclosure email please email us to ask for our PGP key.

Alternatively you may also send us your report via HackerOne.

Please refrain from requesting compensation for reporting vulnerabilities. If you want we will publicly acknowledge your responsible disclosure. We also try to make the confidential issue public after the vulnerability is announced, for an example see our impersonation feature issue. HackerOne also makes the bug reports public after 30 days if neither party objects, for an example see the report for a persistent XSS on public project page.

You are not allowed to search for vulnerabilities on itself. GitLab is open source software, you can install a copy yourself and test against that. You can either download CE, EE, or the GitLab Development Kit. If you want to perform testing without setting GitLab up yourself please contact us to arrange access to a staging server.

You can find more details on how we handle security releases here.

On our website you can find more about the availability and security of Security issues that are not vulnerabilities can be seen on our public issue tracker.

Confidential issues

When a vulnerability is discovered we create a confidential issue to track it internally. Security patches are pushed to, which is not publicly accessible, and merged into the security branch. They should not appear on until the security release has been announced and updated packages are available.

Details can be found in our critical release process.