This page outlines the general rules that apply to all work conducted by the Red Team. Individual operations may include additional rules defined during planning stages.
Please refer to our general handbook page to learn more about our team and what we do.
All systems managed by GitLab are in scope for all types of Red Team operations. No prior approval is required to conduct any activity that meets the rules documented on this page.
Third-party systems that are used by GitLab for official business purposes are also considered in scope, but these often require permission from the system owners. This permission will be obtained when necessary.
Team members can request that a system be excluded from our scope by opening an issue here.
Stealth Operations are conducted without being widely announced. These operations require careful planning. We will use the same logistics issue template used for Purple Team operations, but it will only be visible to trusted participants until the operation is disclosed.
The logistics phase will define detailed rules for each specific operation. The sections below contain general rules that apply to all stealth operations.
At GitLab, our Red Team and Blue Team have a long history of working collaboratively towards a common goal. Despite playing roles that are adversarial in nature, we want to maintain a very high level of trust and respect between the teams.
We define some specific rules below, but in general we want to remember to always be kind and compassionate in our work. If something feels like it conflicts with GitLab's values, we need to re-evaluate exactly what we are doing and why we are doing it.
The sections below outline general rules all Red Team operations.
The Red Team may discover and exploit vulnerabilities during an engagement. These will not always be reported immediately to SIRT, as we want to provide a realistic opportunity to detect and respond to that exploitation.
If a vulnerability is exposed that meets the following criteria, we will document the issue and follow the process to engage SIRT immediately:
Red Team operations are carefully planned to avoid impacting production systems and customer activities. However, accidents may occur and production systems may respond in an unpredictable manner.
If we ever suspect an impact to production, we will do the following:
This section describes techniques that are commonly used by the Red Team. These lists are not all inclusive, but are meant to provide team members reasonable expectations of things the Red Team may or may not do.
If any team members have questions or concerns about these operations, please contact us in the
#g_security_redteam Slack channel.
Techniques used in open-scope work include:
During a stealth operation, the Red Team may:
If you are a team member at GitLab and suspect you have uncovered a stealth red team operation in the course of your daily work, please refer to our deconfliction process mentioned in the "Is This Red Team?" section.
At this time, the Red Team will not: