GitLab Professional Services
Accelerate your software lifecycle with help from GitLab experts
Popular GitLab use cases
Enterprise Small Business Continuous Integration (CI/CD) Source Code Management (SCM) Out-of-the-box Pipelines (Auto DevOps) Security (DevSecOps) Agile Development Value Stream Management GitOpsGitLab Professional Services
Accelerate your software lifecycle with help from GitLab experts
Popular GitLab use cases
Enterprise Small Business Continuous Integration (CI/CD) Source Code Management (SCM) Out-of-the-box Pipelines (Auto DevOps) Security (DevSecOps) Agile Development Value Stream Management GitOpsOccasionally, users will reach out to security@gitlab.com
, following the Responsible Disclosure Policy, with questions that may be better addressed by Support (e.g., help resizing a repository in response to a mass notification).
Other times, users will reach out to Support to report a security issue.
Support tickets identified as needing transfer to security should be treated with the same caution as any other suspicious email:
hxxp://
or hxxps://
or 'evil(.).com`.#security
, ask your manager or transfer the ticket.working as intended
,The primary channel we currently receive vulnerability reports is through our
HackerOne Bug Bounty, but we still
make security@gitlab.com
available for reporting as well. Triaging and
responding to these tickets in a timely manner is a responsibility of the
Field Security team
and they will reach out to AppSec when needed.
If any team member has any concern about a report and an Application Security engineer is not available, page the security on call.
Sometimes, a customer will request details on a security update that was released. e.g. "Should I worry about this? What's this patch about?"
Following the Responsible Disclosure Policy, a confidential issue will be created and tracked internally. The contents of the confidential issue should not be shared.
Reported via ZenDesk (GitLab internal only): https://gitlab.zendesk.com/.../xxxxx
Triage vulnerability reports in a similar manner to our HackerOne proccess.
Please refer to our public bug bounty program policy at https://hackerone.com/gitlab for more information.
This report will be triaged in the order it was
received on the HackerOne platform. That will be used as our single
channel of communication for this report.
and close the ticket as
resolved.In the case that something ended up in the Security inbox and was forwarded on via email:
In order to transfer a ticket from Support to Security:
In the case that a security issue was reported through a support ticket:
Update the assignee in ZenDesk to Security
Link to the issue reporting the vulnerability
In the case that the customer has already filed an issue for the vulnerability:
Mark the issue is confidential
Add security
, customer
, and bug
or feature proposal
labels
Assign Severity and Priority Labels