Security is everyone's responsibility, and therefore, everyone can contribute to it. We want to foster a strong security culture at GitLab, and reward the people who are raising our standards and expectations.
The purpose of the Security Awards Program is to incentivize GitLab team members and community contributors to solve as many security-related problems as possible.
The current leaderboard can be found here.
Security is a team effort, and everyone is invited to contribute.
Are awardable:
The participation is purely voluntary and that there are no requirements to work extra hours or negatively impact team membersโ work-life balance.
No registration is required to participate in the program:
| Action | Who | Points |
|---|---|---|
| Nomination | MR or Issue Author | Number of votes * 100 |
Awarded actions can be issues or merge request. They must have been closed (issues) or merged (merge request) in the last 6 months, and have at least the ~security label.
Non-exhaustive list of behaviors to incentivize:
While nominations are set manually GitLab team members, some actions can be automatically rewarded with points.
This is the case for security merge requests, which are merge requests labeled with ~security and a ~severity::x, and located under gitlab-org/security.
| Action | Who | Points |
|---|---|---|
Merging a Merge Request with the ~security ~severity::1 labels |
Author | 100 |
Merging a Merge Request with the ~security ~severity::1 labels |
Every reviewer | 50 |
Merging a Merge Request with the ~security ~severity::2 labels |
Author | 80 |
Merging a Merge Request with the ~security ~severity::2 labels |
Every reviewer | 40 |
Merging a Merge Request with the ~security ~severity::3 labels |
Author | 60 |
Merging a Merge Request with the ~security ~severity::3 labels |
Every reviewer | 30 |
Merging a Merge Request with the ~security ~severity::4 labels |
Author | 40 |
Merging a Merge Request with the ~security ~severity::4 labels |
Every reviewer | 20 |
These actions can still be nominated (by adding the ~security-awards::nomination label to the merge request) if someone wants to highlight extra efforts or great achievement: the two are not mutually exclusive.
Reviewers of these Merge Requests are also rewarded automatically, as soon as they're still assigned as reviewers at the time of the reward, so after the merge. People who unassign themselves after their review are not recognized at the moment (please discuss in this issue).
At the end of every fiscal quarters, the top nominees for each category will be able to redeem their prizes.
The leaderboard keeps a ranking of all participants for 4 consecutive quarters. At the end of the fiscal year, the top winners across all categories will be able to redeem a bigger prize. The Yearly Contest is starting with the FY22 only.
In the case where two or more nominees would be in a tie for a place rewarded with a prize, their rank will set automatically by our automated process. The first appearance in a ranking (quarterly or yearly) will have precedence. For example:
| Nominee | Points | Ranking | First award |
|---|---|---|---|
| user1 | 400 | 1 | 2021-02-01 |
| user3 | 200 | 2 | 2021-01-01 |
| user2 | 200 | 3 | 2021-01-15 |
User2 and user3 are tied for the second place, but the user3's first action awarded in this ranking was before the first one for user2.
Since Engineering is more likely to be exposed to security topics, we want this program to be fair and make everyone feeling included and involved. Each category below will be rewarded. We have a limited number of prizes to distribute every quarter and year, so we want to make sure that all categories are well represented.
Engineers and Managers from the Development Department.
Rest of Engineering: QA, Support, Product Design, Infrastructure, โฆ
Rest of the company: Marketing, Product, Sales, Legal, PeopleOps, โฆ
Only security fixes and contributions from the community are considered. We already have a Bug Bounty Program for external contributors to report security issues and bugs.
Every action approved entitles the nominee for the quarterly and yearly contests. The ranking of participants with their score is displayed on the leaderboards listed below.
For confidentiality reasons, the details of rewarded actions are not publicly available, but all the data used to build these leaderboards is compiled in these YAML files.
You can find the Issues and Merge Requests already being awarded so far:
Prize givings are on-hold while we work on award automation. Please refer to our "Managing prize giving delays" issue for information, questions, and comments.
See the prizes page for a detailed view.
Anyone at GitLab can nominate someone else by using the label ~security-awards::nomination on an issue or a merge request in the
gitlab.com/gitlab-org or gitlab.com/gitlab-com groups.
The following scoped labels are being used in this process:
~security-awards::nomination~security-awards::awardedOn Mondays, a new issue is created in the Security Meta project with the title
Security Awards Program Council Discussion week of [date] and the
~Security Awards Council label.
A reminder is sent on Slack, in the #sec-appsec channel to remind everyone to vote for their favorite nominations.
Every nomination is added as a threaded comment in these Council Issues. Only Security team members can vote for these nominations. Other votes will not count towards the vote totals.
Approvals are indicated by ๐ from at least 2 Security team members. Each vote (๐) will award 100 points for the nomination (ex: 7 ๐ equals 700 points awarded).
Council Issues older than 2 weeks are automatically closed, and the ~security-awards::awarded label is set on the awarded issues/merge requests. The ones ones without enough votes get their ~security-awards::nomination label removed.
The process is automated in this project: https://gitlab.com/gitlab-com/security-awards/.