At GitLab, we believe that transparency is critical to our success- and security is no different. Our Customer Assurance Package (CAP) is designed to provide GitLab team members, users, customers, and other community members with the most current information about our Security and Compliance Posture.
We encourage our Customers and Prospects to review the Self Service resources, Third Party Security Rating and External Evidence outlined on this page. Additional support can be provided by your Technical Account Manager or by emailing firstname.lastname@example.org.
We know that our Customers and Prospects have a lot of questions about GitLab's Security. And we are here to help answer them! Below is a collection of resources that captures the vast majority of commonly asked security questions. They are accessible to anyone and a Non-Disclosure Agreement (NDA) is not required to view.
Coming soon: Regulated Markets Customer Assurance Package
In today’s security world, it isn’t enough to say you have a strong security posture, our Customers and Prospects want us to prove it. And we know that many of our customers utilize Third Party Application ratings as a deciding factor when contracting with vendors. These tools are designed to independently identify potential vulnerabilities and provide a public report of an organization's Security health. At this time, GitLab is working closely with both Security Scorecard and BitSight to ensure the most up-to-date and accurate information is reflected in these scores.
BitSight utilizes public information collected across multiple domains to provide a numeric score from 250-900. GitLab publishes three reports:
GitLab's Production Summary Report- Last Updated December 2020
Security Scorecard monitors public information across 10 risk factors (such as DNS health, IP reputation, network security and patching cadence) and publicly reports an A-F rating. Gitlab does not monitor this score regularly. GitLab will review reported items sporadically with a goal of maintaining a B or higher.
We recognize that different customers may utilize other Third Party Security Rating platforms. If you utilize an application other than BitSight, you can submit a request for evaluation.
Each application will be assessed based on the following criteria:
The Risk and Field Security Team will review this along with a “current snapshot” from the requested applications to determine if it will provide valuable information. Oftentimes these applications will report the same information which would lead to redundant findings and inefficient processes. It is important to note that just because an application is approved for usage, it does not mean that GitLab is agreeing to any of the findings or remediation activities.
In line with specific laws, regulations and contractual requirements, there are certain items that we require a Non-Disclosure Agreement to provide.