The Field Security team triages and responds to ZenDesk tickets that come from emails sent to
email@example.com. Users email with questions and concerns about their accounts and the security of GitLab as a SaaS platform. These emails open tickets in ZenDesk which is monitored by the Field Security team for triage.
Tickets are handled in one of the four ways described below.
Field Security has a 1 business-day SLA to handle the ticket. When Field Security has all the required information a friendly, concise, and complete answer to the requestor's concern is provided and the ticket is closed as "Solved". The ticket requestor may reopen the ticket at any time should they require further assistance.
When additional information is required, an issue is opened for the appropriate team (e.g. Security Operations, Application Security, Abuse, Security Compliance, etc.) and the requestor is notified that additional research on our part is required. These issues are monitored and once the required information has been collected, that information is provided to the ticket requestor and the ticket is closed. Periodic updates are given to the requestor as appropriate.
There are 3 classes of tickets that Field Security cannot handle directly, and these are either forwarded and/or replied with referral information for the requestor:
firstname.lastname@example.org. Our Support team has established workflows for lost passwords, 2FA lockouts, blocked accounts, and other issues related to authentication. These tickets can be forwarded within ZenDesk where they are promptly handled by a member of that team.
email@example.com they prefer not to go through HackerOne.
firstname.lastname@example.org. Our DMCA policy is publicly available here.
Our Customer Assurance Package details the process for existing customers to request our SOC 2 Type 1 report and/or pen test reports directly by emailing
email@example.com. Once we verify their status the request is queued and we respond to confirm receipt. GitLab employees may also request reports through this process, but they must be on behalf of a customer for the SOC 2 report.
Reports are distributed on Mondays & Thursdays with adjustments for US holidays.
Details about our SOC 2 Security Compliance are available here.