The GitLab Phishing Program is designed to educate and evaluate GitLab's ability to detect and prevent phishing attempts. The goal of the program is to maintain up-to-date educational materials, provide ongoing training, and execute real-world simulations to provide GitLab Team Members the knowledge to identify, report, and block phishing attempts. Phishing simulations are provided by ProofPoint, GitLab's third party provider, and will help satisfy external regulatory requirements and bolster customer assurance.
The Security Governance team coordinates with the following teams before a phishing simulation exercise:
Phishing simulations are an integral part of our overall security awareness education. The Security Governance team utilizes ProofPoint to generate and send simulated phishing emails to GitLab team members to assess their ability to identify phishing attempts. The goal is that TMs either report the phishing attempt (ideal behavior) or delete the email (acceptable behavior). TMs who click the link will automatically be assigned a phishing-specific training module, also via ProofPoint.
At a minimum, one phishing simulation campaign will take place each fiscal quarter. Prior to the phishing campaign's start, a general notification to the GitLab organization will be posted to the #whats-happening-at-gitlab Slack channel. However, for maximum efficacy, the exact content, date, time and team members receiving the email will not be communicated. Campaigns may contain various versions of the simulated email that will be delivered at random times throughout the 1-week campaign.
All GitLab team members, contractors and others with access to production data will be included in the quarterly campaigns with the exception of any individuals on extended leave at the time the campaign is launched.
The phishing simulation email from ProofPoint will appear as though it is originating from GitLab or a fictitious company. This email will look realistic/authentic in the attempt to engage the TM to click a link. We would love to show you what this looks like but that would defeat the purpose of the test.
Just like with any suspected phishing or malicious email, follow the handbook process for reporting suspected phishing emails. The preference for reporting phishing emails is Option 1 via PhishAlarm.
In the event the link is clicked, the team member will be redirected to a landing page notifying them that this was part of a simulation. TMs will see a quick Teachable Moment and will be automatically enrolled in a short training assignment (also provided by ProofPoint). We want everyone to be as successful as possible and these quick trainings will guide and provide a few tips to help recognize malicious emails in the future. The trainings are quick interactive videos and completing them will help us with future training assessments.
Our phishing partner, ProofPoint, curates and hosts the training modules which will be assigned upon when the link is clicked. The training is designed to reinforce and provide real world examples of detecting and reporting phishing. We highly encourage you to complete the training soon after being received as this will help to reinforce and better prepare you to spot phishing attempts in the future. The training modules are short and interactive and will be coming from awareness@securityeducation.com.
If the training is not completed within 1 week, a reminder will be sent from ProofPoint. If required, the Security Governance team will communicate incomplete assigned training modules to managers for assistance with completion. Demonstration of completed training supports compliance with the Phishing program and will strengthen our regulatory requirements.
| Action | Outcome |
|---|---|
| Submitted email via PhishAlarm or directly to phishing@gitlab.com | No further action. |
| Did nothing with the email | No further action. |
| Clicked on the link | Training will be assigned |
The Security Governance team will initiate and track the quarterly phishing simulation campaign within ProofPoint. Once the campaign has completed, the Security Governance team will provide non-identifying results in the Phishing Program project.
I clicked the link in the email, what do I do?
I didn't click the link in the email, what do I do?
or as an attachment to phishing@gitlab.com using the instructions in the handbook. Knowing this is a phishing simulation, please avoid discussing with anyone else or feel compelled to post a screenshot of the email received in Slack as it may skew the results of the phishing exercise.I got assigned training without clicking the link in the email, what do I do?
NOTE
Feel free to complete the assigned training and consider it as taking an extra step to stay secure!
I use a physical Yubikey for multifactor authentication, why did I still fail the phishing simulation?
I thought the Red Team was conducting the phishing exercises?
Why are we using an external vendor?
Who decides who receives these phishing simulations?
How often will I receive these?
#whats-happening-at-gitlab Slack channel. However, for maximum efficacy, the exact content, date, time and team members receiving the email will not be communicated. Campaigns may contain various versions of the simulated email that will be delivered at random times throughout the 1-week campaign.I don't want to be included, how do I remove myself?
Is this an invasion of privacy?
Will I be publicly shamed?
I never fall for the phishing simulations received, why am I still receiving these simulation emails?
How can I provide Feedback on my experience?
Please reach out to the Security Governance team!