Maintained by:

Transparency by Default - Security

Purpose

In alignment with our company value of Transparency, one focus of the security organization is to lead the most transparent security organization in business today. Transparency by default requires us to challenge the status quo where security teams traditionally operate in a very private and closed-off manner. However, being open by default requires us to be even more diligent in our efforts of categorizing data in order to ensure the protection of our customers, company, and team member data. Therefore, our position is that all information and activities produced by the security team should be considered "Public by Default" unless defined below:

Open to GitLab, Partners, Customers

This information is only externally available to GitLab Partners or Customers as widespread availability of this data can be damaging to GitLab or risk the security or privacy of GitLab, GitLab customers or GitLab partners.

Control status
3rd party audit reports
RFP database responses
3rd party penetration test report summaries
Aggregate vulnerability metrics (by severity only)
Security Team Roadmap

Open to GitLab

This information is open to GitLab but not publicly (handbook) available because of information that can risk the confidentiality, security or privacy of internal company information. The public availability of this information could pose a significant risk to GitLab or it’s customers.

Vendor Audit Reports
Procedures/Runbooks/work instructions containing sesnsitive or personal data
Customer questionnaires
Detailed control test results to include observations and remediation plans
Gap analysis reports
Project management documentation containing sesnsitive or personal data
Security metrics
Security KPIs
Security OKRs
Unmitigated vulnerabilities
HackerOne vulnerability submissions post internal triage
3rd party penetration test full detail reports
Information about security incidents or investigations handled by SIRT that are not considered high-severity or sensitive
Executive reports of Red Team operations that do not contain details
Vulnerabilities patched or resolved more than 30 days ago
Concluded security incidents that do not contain Materially Non-Public Information

Restricted: Security Only or other restrictions imposed

This information is restricted due to confidential data or privacy concerns related to company, customer or individual data that would be significantly damaging if disclosed or otherwise restricted by law or by legal contract.

Customer contracts / Open to Security Only (and Legal, Sales)
- Due to confidential customer data
Open/closed security customer support tickets / Open to (Security, Support)
- Due to customer, individual privacy requirements
Audit Evidence
- Due to the sensitive nature of the data being provided which can include personal data, system data and current risks including open vulnerabilities
Legal Holds
Work communication (emails, Slack) related to specific topics or team members
Risk Register
HackerOne vulnerability submissions prior to internal triage
Critical preventative or detective security control configurations
Baseline security configurations
Vulnerabilities that are unique to the FedRAMP production environment
Details related to operations performed by the Red Team and their findings
- Due to the risk these findings would present to the security of GitLab.com and GitLab the company
Information related to GitLab.com abusive activity and follow-up activity taken by the Trust & Safety team
- Due to customer, individual privacy requirements
- Due to the necessity to keep our anti-abuse processes unknown to abusive actors
Information about security incidents or investigations that have not yet been marked as closed/resolved by the SIRT
- Due to the sensitive nature of security incidents and the information involved (unpatched vulnerabilities, compromised credentials)

Transparency by Default