Gitlab hero border pattern left svg Gitlab hero border pattern right svg


On this page

Security Vision

We enhance the security posture of our company, products, and client-facing services. The security team works cross-functionally inside and outside GitLab to meet these goals. The security team does not work directly on security-centric features of our platform—these are handled by the development teams. The specialty areas of our team reflect the major areas of information security.

Engaging the Security On-Call

If you identified an urgent security issue, if something feels wrong, or you need immediate assistance from the Security Team, you have two options available:

Please be aware that the Security Team can only be paged internally. If you are an external party, please proceed to Vulnerability Reports and HackerOne section of this page.

Both mechanisms will trigger the very same process, and as a result, the Security responder on-call will engage in the relevant issue within the appropriate SLA. If the SLA is breached, the Security manager on-call will be paged.

Note: The Security Team will never be upset if you page us for something that turns out to be nothing, but we will be sad if you don't page us and it turns out to be something. IF UNSURE - PAGE US.

External Contact Information

The security team can be contacted at External researchers or other interested parties should refer to our Responsible Disclosure Policy for more information about reporting vulnerabilities. The email address also forwards to a ZenDesk queue that is monitored by the security team.

For security team members, the private PGP key is available in the Security 1Password vault. Refer to PGP process for usage.

Security Department

Security Automation

Security Automation specialists help us scale by creating tools that perform common tasks automatically. Examples include building automated security issue triage and management, proactive vulnerability scanning, and defining security metrics for executive review. Initiatives for this specialty also include:

Application Security

Application Security specialists work closely with development, product security PMs, and third-party groups (including paid bug bounty programs) to ensure pre and post deployment assessments are completed. Initiatives for this specialty also include:

Security Operations

Security Operations specialists respond to incidents. This is often a fast-paced and stressful environment, where responding quickly and maintaining ones composure is critical. Initiatives for this specialty also include:

Security Operations can be contacted on slack via our handle @sec-ops-team or in a Gitlab issue using @gitlab-com/gl-security/secops. If your request requires immediate attention please review the steps for engaging the security on-call.

Abuse Operations

Abuse Operations specialists investigate malicious use of our systems. Initiatives for this specialty include:


Compliance enables Sales by achieving standards as required by our customers and help to verify that the outcomes the security team is trying to achieve are actually being met. This includes SaaS, on-prem, and open source instances. Initiatives for this specialty also include:

Please refer to GitLab's security controls for a detailed list of all compliance controls organized by control family.

Threat Intelligence

Threat intelligence specialists research and provide information about specific threats to help us protect from the types of attacks that could cause the most damage. Initiatives for this specialty also include:

Strategic Security

Strategic security specialists focus on holistic changes to policy, architecture, and processes to reduce entire categories of future security issues. Initiatives for this specialty also include:

Security Research

Security research specialists conduct internal testing against GitLab assets, and against FOSS that is critical to GitLab products and operations. Initiatives for this specialty also include:

Security External Communications

The External Communications Team leads customer advocacy, engagement and communications in support of GitLab Security Team programs. Initiatives for this specialty include:

Red Team

Red team extend the objectives of penetration testing by examining the security posture of organizations and their ability to implement effective cyber defenses. Penetration testing is a specialized type of assessment conducted on information systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Such testing can be used to either validate vulnerabilities or determine the degree of resistance organizational information systems have to adversaries within a set of specified constraints (e.g., time, resources, and/or skills). Red team exercises provide more comprehensive assessments that reflect real-world conditions over penetration testing. The exercises can further be used to improve security awareness and training and to assess levels of security control effectiveness. GitLab utilizes NIST 800-53 Revision 4 security control CA-8 to define the Red Team and their mission. The control can be found on

Security Team Collaborators

Secure Team

The Security team will collaborate with development and product management for security-related features in GitLab. The Secure team must not be mistaken with the Security Team.

External Security Firms

We work closely with bounty programs, as well as security assessment and penetration testing firms to ensure external review of our security posture.


Information Security Policies Groups and Projects

Slack Channels

Other Frequently Used Projects

Security crosses many teams in the company, so you will find ~security labelled issues across all GitLab projects, especially:

When opening issues, please follow the Creating New Security Issues process for using labels and the confidential flag.

Other Resources for GitLab Team Members

The current board for tracking current Security Department Work is Security Management FY19Q2 This board aggregrates work from the many subgroups and projects under gitlab-com/gl-security used by the various subteams to track their work and projects. High level issues and open issues that map directly to an OKR should be added to this board to provide visibility into the current work of the security team.

When creating an issue that maps to an OKR, apply the following group level labels so that it appears in the board:

These labels can also be applied to MRs related to the work.

Security Releases

The definitions, processes and checklists for security releases are described in the release/docs project.

The policies for backporting changes follow Security Releases for Gitlab EE.

For critical security releases, refer to Critical Security Releases in the handbook for a high level description of communication, and the critical release checklist in release/docs.

Issue Triage

The Security team needs to be able to communicate the priorities of security related issues to the Product, Development, and Infrastructure teams. Here's how the team can set priorities internally for subsequent communication (inspired in part by how the support team does this).

Creating New Security Issues

New security issue should follow these guidelines when being created on

Occasionally, data that should remain confidential, such as the private project contents of a user that reported an issue, may get included in an issue. If necessary, a sanitized issue may need to be created with more general discussion and examples appropriate for public disclosure prior to release.

For review by the Application Security team, @ mention @gitlab-com/gl-security/appsec.

For more immediate attention, refer to Engaging security on-call.

Severity and Priority Labels on ~security Issues

The presence of ~security modifies the standard severity labels(~S1, ~S2, ~S3, ~S4) by additionally taking into account likelihood as described below, as well as any other mitigating or exacerbating factors. The priority of addressing ~security issues is also driven by impact, so in most cases, the priority label assigned by the security team will match the severity label. Exceptions must be noted in issue description or comments.

The intent of tying ~S/~P labels to remediation times is to measure and improve GitLab's response time to security issues to consistently meet or exceed industry standard timelines for responsible disclosure.

Severity Priority Time to remediate
~S1 ~P1 As soon as possible
~S2 ~P2 Within 60 days
~S3 ~P3 Within 90 days

Due date on ~security Issues

For ~S2 and ~S3 ~security issues, the security engineer assigns the Due date, which is the target date of when fixes should be ready for release. This due date should account for the Time to remediate times above, as well as monthly security releases on the 28th of each month. For example, suppose today is October 1st, and a new S2 ~security issue is opened. It must be addressed in a security release within 60 days, which is November 30th. So therefore, it must catch the November 28th security release. Furthermore, the Security Release Process deadlines say that it should the code fix should be ready by November 23rd. So the due date in this example should be November 23rd.

Note that some ~security issues may not need to be part of a code release, such as an infrastructure change. In that case, the due date will not need to account for monthly security release dates.

On occasion, the due date of such an issue may need to be changed if the security team needs to move up or delay a monthly security release date to accommodate for urgent problems that arise.

~S1 ~security issues do not have a due date since they should be fixed as soon as possible, and a security release made available as soon as possible to accommodate it.


Security issues which would be triaged as ~S4, are most likely ~features that should be triaged and prioritized by a product manager. This includes suggestions without a well-defined path for implementation or requiring complex changes to the application or architecture to address. ~S4/~P4 may be used for ~features as assigned by a product manager and do not need assignment to a release.

~"security request"

The security team may also apply ~internal customer and ~security request to issue as an indication that the feature is being requested by the security team to meet additional customer requirements, compliance or operational needs in support of

Transferring from Security to Engineering

The security engineer must:

The product manager will assign a Milestone to communicate when work will be assigned to engineers. The Due date field, severity label, and priority label should not be changed by PMs, as these labels are intended to provide accurate metrics on ~security issues, and are assigned by the Security Team.

Note that issues are not scheduled for a particular release unless the team leads add them to a release milestone and they are assigned to a developer.

Issues with an S1 or S2 rating should be immediately brought to the attention of the relevant engineering team leads and product managers by tagging them in the issue and/or escalating via chat and email if they are unresponsive.

Issues with an S1 rating have priority over all other issues and should be considered for a critical security release.

Issues with an S2 rating should be scheduled for the next scheduled security release, which may be days or weeks ahead depending on severity and other issues that are waiting for patches. An S2 rating is not a guarantee that a patch will be ready prior to the next security release, but that should be the goal.

Issues with an S3 rating have a lower sense of urgency and are assigned a target of the next minor version. If a low-risk or low-impact vulnerability is reported that would normally be rated S3 but the reporter has provided a 30 day time window (or less) for disclosure the issue may be escalated to ensure that it is patched before disclosure.

Security issue becoming irrelevant due to unrelated code changes

It is possible that a ~security issue becomes irrelevant after it was initially triaged, but before a patch was implemented. For example, the vulnerable functionality was removed or significantly changed resulting in the vulnerability not being present anymore.

If an engineer notices that an issue has become irrelevant, he should @-mention the person that triaged the issue to confirm that the vulnerability is not present anymore. Note that it might still be necessary to backport a patch to previous releases according to our maintenance policy. In case no backports are necessary, the issue can be closed.

Access Management Process

Centralized access management is key to ensuring that the correct GitLab team-members have access to the correct data and systems and at the correct level. GitLab access controls are guided by the principle of least privilege and need-to-know. These controls apply to information and information processing systems at the application and operating system layers, including networks and network services.

The access request project is used to request and track the following access-related activities:

  1. New Access Requests
  2. Access Removal Requests
  3. Access Reviews
  4. New Service Account Requests

Usage guidelines for each of the access templates is outlined in the project's README file

These templates should be used during the onboarding process and throughout the employment tenure of a GitLabber. Access required as part of the team member's onboarding should be requested using the New Access Requests or if applicable, one of the available Baseline Role-based Entitlements templates.

Access Control Policy and Procedures

Bulk Access Requests

Access Requests and Onboarding

During the onboarding process, the manager should determine which email and slack groups the new team member should be added to. Also determine if new team member will need access to the dev server, which is used by engineers to prepare fixes for security issues and also allows for access to and If so, request the creation of a new account with the same username the team member has on and an invitation to the gitlab group as a Developer. Fill out one access request for both the groups and Dev account if needed.


Access Reviews

Access Control Process Exceptions

Baseline Role-Based Entitlements Access Runbooks & Issue Templates

System Asset User Role Expected Role
AWS - Gitter SRE Administrator
AWS - Staging SRE Administrator
AWS- SRE Administrator
Azure SRE Global Administrator SRE add Admin role to regular account
Digital Ocean SRE Member SRE Admin - admin account-username SRE added w/ production group from chef users databag SRE add Admin role to regular account
GCP SRE Folder Admin/Infra.
Chef SRE Admin
Pager Duty SRE Admin SRE Admin
1Password Vaults SRE Vaults: Team, DevOps, Gitter, Production
Rackspace SRE Admin for Tickets, Observer for Billing
System Asset User Role Expected Role
AWS - Security SecOps Administrator
AWS - SecOps ReadOnly
GCP SecOps;;
Digital Ocean SecOps Member SecOps Admin - admin-username SecOps added w/ production group from chef users databag SecOps Admin - username (one account) SecOps Admin - username (one account)
Slack SecOps Workspace Admin
G Suite SecOps Super Admin
1Password SecOps Administrator
Snowflake SecOps securityadmin, sysadmin
HackerOne SecOps Report
PagerDuty SecOps Admin SecOps Organization Admin for GitLab Security Department
System Asset User Role Expected Role
AWS - Security SecAuto Administrator
AWS - SecAuto ReadOnly
GCP SecAuto;
Digital Ocean SecAuto Member SecAuto Admin - admin-username SecAuto added w/ production group from chef users databag SecAuto Admin - username (one account) SecAuto Admin - username (one account)
Slack SecAuto Workspace Admin
G Suite SecAuto Super Admin
1Password SecAuto Administrator
Periscope SecAuto Default
Snowflake SecAuto securityadmin, sysadmin
HackerOne SecAuto Report
PagerDuty SecAuto Admin SecAuto Organization Admin for GitLab Security Department
Okta SecAuto Read-Only Admin
System Asset User Role Expected Role
GitLab HQ FrontendEng Developer FrontendEng User
Email Groups FrontendEng Groups FrontendEng [at]gl-frontend
GCP FrontendEng gitlab-internal (Kubernetes User)
Slack FrontendEng User (@frontend-team) FrontendEng User FrontendEng User
System Asset User Role Expected Role
GitLab HQ BackendEng Developers BackendEng User Groups BackendEng Developer
GCP BackendEng roles/container.admin role for gitlab-internal-153318 project
Slack BackendEng User (member of @developers) BackendEng Developer in the gitlab group
server access BackendEng ability to SSH into

When submitting a new access-request issue for either of these roles, please chose the template corresponding with the role of the person for which you are submitting the access request.

Access Control Procedure Activities

GitLab's access controls include the following control activities:

  1. user registration and de-registration
  2. user access provisioning
  3. removal of adjustment of user access rights
  4. management of privileged access rights
  5. management and use of secret authentication information
  6. review and recertification of user access rights
  7. secure log-on procedures
  8. management of passwords and tokens
  9. access to privileged utility programs
  10. access to program source code

Account Naming Conventions

Automated Group Membership Reports for Managers

If you would like to check whether or not a team-member is a member of a Slack or a G-Suite group, you can view the following automated group membership reports:

G-Suite Group Membership Reports

Slack Group Membership Reports

Internal Application Security Reviews

For systems built (or significantly modified) by functional groups that house customer and other sensitive data, the Security Team should perform applicable application security reviews to ensure the systems are hardened. Security reviews aim to help reduce vulnerabilities and to create a more secure product.

When to request a security review?

  1. If your changes are processing, storing, or transferring any kind of RED or ORANGE data, it should be reviewed by the application security team.
  2. If your changes involve implementing, utilizing, or is otherwise related to any type of authentication, authorization, or session handling mechanism, it should be reviewed by the application security team.
  3. If your changes have a goal which requires a cryptographic function such as: confidentiality, integrity, authentication, or non-repudiation, it should be reviewed by the application security team.

How to request a security review?

There are two ways to request a security review depending on how significant the changes are. It is divided between individual merge requests and larger scale initiatives.

Individual merge requests

Loop in the application security team by /cc @gitlab\-com/gl\-security/appsec in your merge request.

These reviews are intended to be faster, more lightweight, and have a lower barrier of entry.

Larger scale initiatives

To get started, create an issue in the security tracker, add the app sec review label, and submit a triage questionnaire form. The complete process can be found at here.

Some use cases of this are for epics, milestones, reviewing for a common security weakness in the entire codebase, or larger features.

Is security approval required to progress?

No, code changes do not require security approval to progress. Non-blocking reviews enables the freedom for our code to keep shipping fast, and it closer aligns with our values of iteration and efficiency. They operate more as guardrails instead of a gate.

What should I provide when requesting a security review?

To help speed up a review, it's recommended to provide any or all of the following:

What does the security process look like?

The current process for larger scale internal application security reviews be found here

My changes have been reviewed by security, so is my project now secure?

Security reviews are not proof or certification that the code changes are secure. They are best effort, and additional vulnerabilities may exist after a review.

It's important to note here that application security reviews are not a one-and-done, but can be ongoing as the application under review evolves.

Fighting Spam

The security team plays a large role in defining procedures for defending against and dealing with spam. Common targets for spam are public snippets, projects, issues, merge requests, and comments. Advanced techniques for dealing with these types of spam are detailed in the Spam Fighting runbook.

For any actions taken on an account:

The purpose of adding Admin Notes allow us to better assist the Support Team and Production if there are any questions around changes made to an account by the Security Team.

DMCA Requests

The Security Team plays a big role in defining the procedures and reviewing Digital Millennium Copyright Act (DMCA) requests. All DMCA requests need to be vetted by Legal first before any further steps are taken to proceed with the take down of reported content. Reported content that has been successfully vetted by Legal must be referred to the Abuse Team before any action is taken.

For DMCA requests the Abuse Team will follow the below process

Abuse works in conjunction with Legal referencing the DMCA Removal Workflow

Vulnerability Reports and HackerOne

GitLab receives vulnerability reports by various pathways, including:

For any reported vulnerability:

HackerOne Process

GitLab utilizes HackerOne for its bug bounty program. Security researchers can report vulnerabilities in GitLab applications or the GitLab infrastructure via the HackerOne website. Team members authorized to respond to HackerOne reports use procedures outlined here.

The #hackerone-feed Slack channel receives notifications of report status changes and comments via HackerOne's Slack integration.

Triage Rotation

Application Security team members may assign themselves as the directly responsible individual (DRI) for incoming HackerOne reports for a given calendar week in the Triage Rotation Google Sheet in the Security Team Drive.


Team members should not assign themselves on weeks they are responsible for the scheduled security release.

Team members not assigned as the DRI for the week should continue to triage reports when possible, especially to close duplicates or handle related reports to those they have already triaged.

Team members remain responsible for their own assigned reports.

Working the Queue

If a Report is Unclear

If a report is unclear, or the reviewer has any questions about the validity of the finding or how it can be exploited, now is the time to ask. Move the report to the "Needs More Info" state until the researcher has provided all the information necessary to determine the validity and impact of the finding. Use your best judgement to determine whether it makes sense to open a confidential issue anyway, noting in it that you are seeking more information from the reporter. When in doubt, err on the side of opening the issue.

One the report has been clarified, follow the "regular flow" described above.

If a Report Violates the Rules

If a report violates the rules of GitLab's bug bounty program use good judgement in deciding how to proceed. For instance, if a researcher has tested a vulnerability against GitLab production systems (a violation), but the vulnerability has not placed GitLab user data at risk, notify them that they have violated the terms of the bounty program but you are still taking the report seriously and will treat it normally. If the researcher has acted in a dangerous or malicious way, inform them that they have violated the terms of the bug bounty program and will not receive credit. Then continue with the "regular flow" as you normally would.

If the Report is Invalid

If the report is invalid (in your determination) or does not pose a security risk to GitLab or GitLab users it can be closed without opening an issue on When this happens inform the researcher why it is not a vulnerability and close the issue as "Informational". HackerOne offers the option to close an issue as "Not Applicable" or "Spam". Both of these categories result in damage to the researcher's reputation and should only be used in obvious cases of abuse.

When a Patch is Ready

When a patch has been developed, tested, approved, merged into the security branch, and a new security release is being prepared it is time to inform the researcher via HackerOne. Post a comment on the HackerOne issue to all parties informing them that a patch is ready and will be included with the next security release. Provide release dates, if available, but try not to promise a release on a specific date if you are unsure.

This is also a good time to ask if they would like public credit in our release blog post and on our vulnerability acknowledgements page for the finding. We will link their name or alias to their HackerOne profile, Twitter handle, Facebook profile, company website, or URL of their choosing. Also ask if they would like the HackerOne report to be made public upon release. It is always preferable to publicly disclose reports unless the researcher has an objection.


We use CVE IDs to uniquely identify and publicly define vulnerabilities in our products. Since we publicly disclose all security vulnerabilities 30 days after a patch is released, CVE IDs must be obtained for each vulnerability to be fixed. The earlier obtained the better, and it should be requested either during or immediately after a fix is prepared.

We currently request CVEs either through the HackerOne team or directly through MITRE's webform. Keep in mind that some of our security releases contain security related enhancements which may not have an associated CWE or vulnerability. These particular issues are not required to obtain a CVE since there's no associated vulnerability.

On Release Day

On the day of the security release several things happen in order:

Once all of these things have happened notify the HackerOne researcher that the vulnerability and patch are now public. The GitLab issue should be closed and the HackerOne report should be closed as "Resolved". Public disclosure should be requested if they have not objected to doing so. Any sensitive information contained in the HackerOne report should be sanitized before disclosure.

Swag for Reports

GitLab awards swag codes for free GitLab swag to any reports that result in a security patch. Limit: 1 per reporter. When a report is closed, ask the reporter if they would like a swag code for free GitLab clothing or accessories. Swag codes are available by request from the marketing team.

Handling Disruptive Researcher Activity

Even though many of our 3rd-party dependencies, hosted services, and the static site are listed explicitly as out of scope, they are sometimes targeted by researchers. This results in disruption to normal GitLab operations. In these cases, if a valid email can be associated with the activity, a warning such as the following should be sent to the researcher using an official channel of communication such as ZenDesk.

Dear Security Researcher,

The system that you are accessing is currently out-of-scope for our bounty
program or has resulted in activity that is disruptive to normal GitLab
operations. Reports resulting from this activity may be disqualified from
receiving a paid bounty. Continued access to this system causing disuption to
GitLab operations, as described in policy under "Rules of Engagement,
Testing, and Proof-of-concepts", may result in additional restrictions on
participation in our program:

  Activity that is disruptive to GitLab operations will result in account bans and disqualification of the report.

Further details and some examples are available in the full policy available at:

Please contact us at with any questions.

Best Regards,

Security Department | GitLab

External Code Contributions

We have a process in place to conduct security reviews for externally contributed code, especially if the code functionality includes any of the following:

The Security Team works with our Community Outreach Team to ensure that security reviews are conducted where relevant. For more information about contributing, please reference the Contribute to GitLab page.

Security Questionnaires for Customers

Some customers, to keep up with regulations that impact their business, need to understand the security implications of installing any software - including software like GitLab.


The current process for responding to customer requests is:

  1. Refer a customer to our public statements on security here
  2. If a customer still has questions that need to be discussed, you can engage a Solutions Architect in that discussion.
  3. If the customer still needs a specific questionnaire filled out, create a confidential issue on the appropriate SA Triage board using the Vendor Security Assessment template with the label Security Audit and for the completion of that document
  4. The SA team will take the first pass at the questionnaire using /security/ and this folder as a reference.
  5. Once the SA team has completed what they can, the questionnaire will go to the security team for additional answers.
  6. The security team requests ten (10) business days to complete their review. In many cases we can turn these around more quickly so every effort will be made to meet requested deadline.
  7. Once the questionnaire is complete, it will need to be approved by the Director of Security for release to the customer.
  8. File the completed questionnaire in the example folder for future reference.

Vulnerability Scanning

GitLab maintains a custom vulnerability scanner that is used to regularly scan all GitLab assets for common vulnerabilities as well as previously patched GitLab vulnerabilities and to ensure that no GitLab security-sensitive services are accidentally exposed.

Details on this scanner and how it is configured are available to all team members in a Google Doc entitled "Vulnerability Scanner Config".

Package Signing

The packages we ship are signed with GPG keys, as described in the omnibus documentation. The process around how to make and store the key pair in a secure manner is described in the runbooks. Those runbooks also point out that the management of the keys is handled by the Security team and not the Build team. For more details that are specific to key locations and access at GitLab, find the internal google doc titled "Package Signing Keys at GitLab" on Google Drive.