Please report any security vulnerabilities in GitLab itself via our HackerOne bug bounty program. If you do not desire to use HackerOne or if your finding is out of scope of the bug bounty program but you believe it's important to communicate it to us our next preferred method is to have you create a confidential issue following the instructions in our handbook. Please refrain from requesting compensation for reporting vulnerabilities.
If you are looking to discover vulnerabilities in GitLab, please see our HackerOne bug bounty policy for details on rules of engagement, scope, and additional information.
Emailing security@gitlab.com
is no longer a supported disclosure method and will result in an automated response with further instructions.
All vulnerabilities will be made public via our issue tracker 30 days after releasing the fix. We try and redact all information considered sensitive (such as cookies, tokens, data details). The only time we will make an exception and not make a vulnerability public is when it contains sensitive data which we are unable to redact or remove from the report.
You can find details on how we handle security releases here. On our website you can also find more about the availability and security of GitLab.com.
Please see our CVE Request Process to learn how to request a CVE for a public project hosted on GitLab.com.
If you want to conduct penetration testing against GitLab.com you will need written permission upfront. Customers can contact Support or the Field Security team.
While you are engaged in penetration testing activities you should coordinate with the Security Team so escalation can be avoided. The Security Team will notify the Infrastructure Team as well as the VP of Engineering so that awareness is maintained.
GitLab Security <security@gitlab.com>
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBF93KoUBEADQZg8BHcy2d09wweb8BsKBr9tJiY8OTz6Hx/OTtQVRVLiQph0t
/e+tET24GZ2DgfMtW7Qel4rIcE748d+svwr/JLp2k9Dtgn5HRWvCA2m95oYlP1qA
8zUmD50IzxrswHx2XmAOX/amlQlYgNoIJyrID22El7YZY8qOtTjf3gCFKdUngM6K
m0gfV7rl3ahnBOs0ZAIke6/EQieTL1YHHaPtPDankCTe9elcY4eoHjy0GepEgnit
032DiybTcyoVNPmbrgWXAGJQkaCS5KOc4iYa8dYc5VQv8jG+GsvR99ji0avL5Ov0
BChEvIwUVQqwXcEdgB/mrw52SpTvoMsVKPxRB+Mx/FlFans9utTqEy65Cflf1AoI
OHYF15DhA3xzYCESZN/AVvYkIqi8K2D35GIlXoWlwKPh4bXQQG8g0/8YqRTsk8o4
wRVfH6Te8rY864JcKTV413FgcUVvGA6rttacklbUmRikn6EW0LhA4FF0WMg0fGc9
W+OUjQHxH/BRKNSU87mbXEbTBKj/Orq16EigsRUw7qbgxaQ0WQ+9fYDEJSNH9efN
muMjsExMd/hDxxU8CLoHVZRANgxCSZQ3fwUNXL1QduW0bpP2fkhqEUYIbaZbxLEk
EbD5VpBbV9J6ezwy5BMIByp5AIxt9RfHTvpbtMc1kbivYvSSTVuO5klLrwARAQAB
tGBHaXRMYWIgU2VjdXJpdHkgKFNlY3VyaXR5QGdpdGxhYi5jb20gUEdQIEtleSBm
b3IgZW5jcnlwdGVkIGNvbW11bmljYXRpb25zKSA8c2VjdXJpdHlAZ2l0bGFiLmNv
bT6JAlQEEwEIAD4CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQS57+IeY0D/
w0tVFuOY+kVbnszPDgUCZvwuMAUJDwnRqwAKCRCY+kVbnszPDuteD/sFxlXNHFkJ
pnmsayDOwCfcwt8Lf6wLDtwzmwHrwGhkcshxQxTNHdebA/qBP4Or8ivDolVQLeMf
SE3rDGfkWLDcJtqXdwNnqzxSNAfOuRnMouEd3Fk3UF4l7rHuJtyYC1/4Pporf4BR
FMLe3ttvIJBUDqHHRJA9tp9j9i1FT+sFv3569mpCfR8yeBG4dwRKGbl6V8RY42Jl
iR0YbEXaHI8pL7YepD/g9PxUcfYVOoejm/9dMtO5FLavu++jyo70usPt8DXRWlxo
/NFmvjA59ClmHJCj/orCnd7wNqs1WULZD4q4vA1tU/kvuHnwsHj2Alp12sjW/1Lb
ByBf8KMAbodQJAR1pP8HJo8sfWlMFdVTdOR/PjTN0+a6JOXwo3E/gU1Wu3RBp66+
0YeVqZYEammiDNvavU+eXDC5nwlRedqm7gUh7uYPi0qyX8CM/0DZP2WsaHwm8I1K
I32pxVXnZqcYz7uRHbsOPPp5d9iwPgknPPyAY1SJQxNdmbZhTjsIL4/wqnZsuPCK
WIcfNQc2TNErw5w+3IBh5FlGkmhfyUWIlLDI+p7Nr7+KfTf9w0kIixbBz/QNUlt1
gQi/jusKta5JzT4U9UUbQOP+1+JzEOWLtjmFWswOJggRIteVaZa/MIz4MsC06Sj4
QuFHyDTcdAkNlMe/xM93kX4HRAxy+Ef8JLkCDQRfdyqFARAAxdAXr/Ddk6ijbkNC
56QT+Cd+vVv6FthWJY2UfRflZ4tBmfMb9BlTfPBq+fcJG9kSuaFZx0YDs6iy2rTH
mdSi/S5ICfTOsUfDQIfqzsCl7BIEX1ogzNTvVY4gNJ1JaZiM91B8yH574oeo04VE
D+//r0+/HtdB2KZ5tl5LCwKCoueWcXWSOhRPPP56em0mECMkbLgoTmxVvxgPzgzW
AbB7a13PPZSVhIoAZ1qDWRk0oEpTi88AI22COH7Kwd0AuEGpJCmqboUY7Sl5Vd2e
zOBOrDx1N1riQ3h1oAZjJDSKQHeGpP+/tL8pnS7TD3QdkVX/dmBEJBVqqk7xJLFh
ozYzWA6yM2rZzomrafHWShBBmOpcMltV0hoORk4J85xw+6sM7Xwt91JYBUzytDxJ
FC8ZwvakGjMUakeU0L7BKoiknn3ZmInfMV6ZGMKeBB1vkiAhJi8ByxXz3LQgAzQz
NX6PqUdw2TdWqKVW5GTsXnV5jTAsIudrtfHGJ4vfKVPrG/PRtxAWeNFSpOlm9mM8
fuDqOmYgGARBgjuaCXUXYw2dyohKItLVeM586EZ1A+BloP+lqe6xN/IdkbSfAvbl
r0MWWMKa62AjDnB8GahzC8gNPkssDfydd23SQtGcVM0o253F4LGiLDw958nJIfiA
W8tuHUngBJjmLrxw08zJfQHiPCMAEQEAAYkCPAQYAQgAJgIbDBYhBLnv4h5jQP/D
S1UW45j6RVuezM8OBQJm/C5TBQkPCdHOAAoJEJj6RVuezM8OOGQQAIXaFN4z0CHs
mAlW8xV3o0vWOmaHH+SVsLLmikPYlTNq8nX+m/13FcktWU2DPN5K5HT9PbrwKptq
88SgQm20fhhAViCVVowIAHgOdSn+rXQ+6uj4TAuuih7BLo5dxacmM3pjjl4PWH4C
1kgu68JrZJXax5rJOWlAjiBROBY680D/qNGH248A3zFFvwBERKUgSjft5v4sKTQQ
BYPDSn2Ig1pgRNsjEUomHp3ZXNGJsK4DrVPtb8gs6NO6zR+5fqGZp+kgPzqgi/hI
AxUGWE3zenkVRkwedvrpnGCm2Uz8EbxAxn7NaoGatioJO8PZ7XcfeJ5qbeCw9/wm
sTO8eCD+sDSD8a7sYDVf8DAM7cbwcTJOi4O52qLLWAC66rzKh16rexWfFAmKZ1yd
cmw+y8G+E8S+x3RJKRKt90XbWu/7pQBOmDKKnKsVt5w62w3FgYMgrVkgyf0FT/k0
EcYTUPpMcF0cgL6s6knAcuTqXyPmBi3T6z9cf93tV64HP7x+2+m5YnPCq5++8iA3
gEXkAfVF3wnftKn5B2KiNhwRvY8aJZ3/t9djueLvhBCRtz4y7oIi+bAUJ139eH9v
9zULlLmEW0pBygzr677PXg3vQRMiCI3TzwU4O0pi3DsOJG0MllQMMW0ZVnrNZG9r
TemfhggIjGx1pOuDm9tdPdZjWaYzyOai
=dd8e
-----END PGP PUBLIC KEY BLOCK-----
When a security vulnerability in some 3rd party product is discovered by GitLab team members the following disclosure guideline should apply:
GitLab.com provides a security.txt (RFC 9116) file at https://gitlab.com/.well-known/security.txt.
unsigned.txt
security@gitlab.com
PGP key in 1Password, and copy its secret reference $ op read <SECRET_REFERENCE_HERE> | gpg --import
$ gpg --clearsign --local-user <keyID> --output signed.txt unsigned.txt
$ cat signed.txt
$ gpg --lsign-key B9EFE21E6340FFC34B5516E398FA455B9ECCCF0E
$ gpg --verify signed.txt
gpg: Good signature from "GitLab Security (Security@gitlab.com PGP Key for encrypted communications) <security@gitlab.com>" [full]
$ gpg --delete-secret-keys <keyID>
signed.txt
.When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.
Cookie Policy
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, enabling you to securely log into the site, filling in forms, or using the customer checkout. GitLab processes any personal data collected through these cookies on the basis of our legitimate interest.
These cookies enable helpful but non-essential website functions that improve your website experience. By recognizing you when you return to our website, they may, for example, allow us to personalize our content for you or remember your preferences. If you do not allow these cookies then some or all of these services may not function properly. GitLab processes any personal data collected through these cookies on the basis of your consent
These cookies allow us and our third-party service providers to recognize and count the number of visitors on our websites and to see how visitors move around our websites when they are using it. This helps us improve our products and ensures that users can easily find what they need on our websites. These cookies usually generate aggregate statistics that are not associated with an individual. To the extent any personal data is collected through these cookies, GitLab processes that data on the basis of your consent.
These cookies enable different advertising related functions. They may allow us to record information about your visit to our websites, such as pages visited, links followed, and videos viewed so we can make our websites and the advertising displayed on it more relevant to your interests. They may be set through our website by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant advertisements on other websites. GitLab processes any personal data collected through these cookies on the basis of your consent.