GitLab contracts with third parties to conduct annual network and application penetration testing and perform continuous public security scanning (BitSight). Evidence of these are shared via our Customer Assurance Package.
BitSight is a third party security rating platform that utilizes public information collected across multiple domains to provide a numeric score from 250-900 (similar to a credit rating, but security focused). GitLab publishes three reports using BitSight:
A copy of the Quarterly BitSight report and other Security Assurance artifacts are available to download in our Customer Assurance Package.
Customers are NOT authorized to conduct Vulnerability Scans or Penetration tests on GitLab's SaaS Application. A penetration test determines whether or not defensive measures employed are strong enough to prevent security breaches. If our Customers or Prospects were to attempt their own penetration testing of our SaaS environment, it could appear as a real incident to GitLab. For more information, please review GitLab's Terms of Service.
GitLab conducts external, independent penetration tests of our production architecture at least annually. In lieu of this, a report of our Annual Penetration Test is available in our Customer Assurance Package.
GitLab maintains a comprehensive Vulnerability Management program that is configured to identify vulnerabilities throughout our production architecture. Details are available within our Vulnerability Management handbook page.
Penetration testing and Vulnerability scanning performed by self-managed customers must utilize the standard omnibus deployment to prevent false positives based on custom configurations. Automated vulnerability scanners commonly produce low priority issues and/or false positives. Before submitting the results from a scanner, please take a moment to confirm that the reported issues are actually valid and exploitable. Identified and validated vulnerabilities can be submitted through our HackerOne reporting program or by creating an issue for our security team.