Coordinated Disclosure Process
Reporting a Vulnerability about GitLab or GitLab.com
Please report any security vulnerabilities in GitLab itself via our HackerOne bug bounty program. If you do not desire to use HackerOne or if your finding is out of scope of the bug bounty program but you believe it's important to communicate it to us our next preferred method is to have you create a confidential issue following the instructions in our handbook. Please refrain from requesting compensation for reporting vulnerabilities.
If you are looking to discover vulnerabilities in GitLab, please see our HackerOne bug bounty policy for details on rules of engagement, scope, and additional information.
Emailing [email protected] is no longer a supported disclosure method and will result in an automated response with further instructions.
Vulnerability Disclosure
All vulnerabilities will be made public via our issue tracker 30 days after releasing the fix. We try and redact all information considered sensitive (such as cookies, tokens, data details). The only time we will make an exception and not make a vulnerability public is when it contains sensitive data which we are unable to redact or remove from the report.
Security Releases
You can find details on how we handle security releases here. On our website you can also find more about the availability and security of GitLab.com.
Reporting a Vulnerability in Public Projects Hosted on GitLab.com
Please see our CVE Request Process to learn how to request a CVE for a public project hosted on GitLab.com.
Penetration Testing Rules of Engagement
If you want to conduct penetration testing against GitLab.com you will need written permission upfront. Customers can contact Support or the Field Security team.
While you are engaged in penetration testing activities you should coordinate with the Security Team so escalation can be avoided. The Security Team will notify the Infrastructure Team as well as the VP of Engineering so that awareness is maintained.
Public GPG Key
GitLab Security <[email protected]>- ID: 98FA455B9ECCCF0E
- Fingerprint B9EF E21E 6340 FFC3 4B55 16E3 98FA 455B 9ECC CF0E
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBF93KoUBEADQZg8BHcy2d09wweb8BsKBr9tJiY8OTz6Hx/OTtQVRVLiQph0t /e+tET24GZ2DgfMtW7Qel4rIcE748d+svwr/JLp2k9Dtgn5HRWvCA2m95oYlP1qA 8zUmD50IzxrswHx2XmAOX/amlQlYgNoIJyrID22El7YZY8qOtTjf3gCFKdUngM6K m0gfV7rl3ahnBOs0ZAIke6/EQieTL1YHHaPtPDankCTe9elcY4eoHjy0GepEgnit 032DiybTcyoVNPmbrgWXAGJQkaCS5KOc4iYa8dYc5VQv8jG+GsvR99ji0avL5Ov0 BChEvIwUVQqwXcEdgB/mrw52SpTvoMsVKPxRB+Mx/FlFans9utTqEy65Cflf1AoI OHYF15DhA3xzYCESZN/AVvYkIqi8K2D35GIlXoWlwKPh4bXQQG8g0/8YqRTsk8o4 wRVfH6Te8rY864JcKTV413FgcUVvGA6rttacklbUmRikn6EW0LhA4FF0WMg0fGc9 W+OUjQHxH/BRKNSU87mbXEbTBKj/Orq16EigsRUw7qbgxaQ0WQ+9fYDEJSNH9efN muMjsExMd/hDxxU8CLoHVZRANgxCSZQ3fwUNXL1QduW0bpP2fkhqEUYIbaZbxLEk EbD5VpBbV9J6ezwy5BMIByp5AIxt9RfHTvpbtMc1kbivYvSSTVuO5klLrwARAQAB tGBHaXRMYWIgU2VjdXJpdHkgKFNlY3VyaXR5QGdpdGxhYi5jb20gUEdQIEtleSBm b3IgZW5jcnlwdGVkIGNvbW11bmljYXRpb25zKSA8c2VjdXJpdHlAZ2l0bGFiLmNv bT6JAlQEEwEIAD4CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQS57+IeY0D/ w0tVFuOY+kVbnszPDgUCZvwuMAUJDwnRqwAKCRCY+kVbnszPDuteD/sFxlXNHFkJ pnmsayDOwCfcwt8Lf6wLDtwzmwHrwGhkcshxQxTNHdebA/qBP4Or8ivDolVQLeMf SE3rDGfkWLDcJtqXdwNnqzxSNAfOuRnMouEd3Fk3UF4l7rHuJtyYC1/4Pporf4BR FMLe3ttvIJBUDqHHRJA9tp9j9i1FT+sFv3569mpCfR8yeBG4dwRKGbl6V8RY42Jl iR0YbEXaHI8pL7YepD/g9PxUcfYVOoejm/9dMtO5FLavu++jyo70usPt8DXRWlxo /NFmvjA59ClmHJCj/orCnd7wNqs1WULZD4q4vA1tU/kvuHnwsHj2Alp12sjW/1Lb ByBf8KMAbodQJAR1pP8HJo8sfWlMFdVTdOR/PjTN0+a6JOXwo3E/gU1Wu3RBp66+ 0YeVqZYEammiDNvavU+eXDC5nwlRedqm7gUh7uYPi0qyX8CM/0DZP2WsaHwm8I1K I32pxVXnZqcYz7uRHbsOPPp5d9iwPgknPPyAY1SJQxNdmbZhTjsIL4/wqnZsuPCK WIcfNQc2TNErw5w+3IBh5FlGkmhfyUWIlLDI+p7Nr7+KfTf9w0kIixbBz/QNUlt1 gQi/jusKta5JzT4U9UUbQOP+1+JzEOWLtjmFWswOJggRIteVaZa/MIz4MsC06Sj4 QuFHyDTcdAkNlMe/xM93kX4HRAxy+Ef8JLkCDQRfdyqFARAAxdAXr/Ddk6ijbkNC 56QT+Cd+vVv6FthWJY2UfRflZ4tBmfMb9BlTfPBq+fcJG9kSuaFZx0YDs6iy2rTH mdSi/S5ICfTOsUfDQIfqzsCl7BIEX1ogzNTvVY4gNJ1JaZiM91B8yH574oeo04VE D+//r0+/HtdB2KZ5tl5LCwKCoueWcXWSOhRPPP56em0mECMkbLgoTmxVvxgPzgzW AbB7a13PPZSVhIoAZ1qDWRk0oEpTi88AI22COH7Kwd0AuEGpJCmqboUY7Sl5Vd2e zOBOrDx1N1riQ3h1oAZjJDSKQHeGpP+/tL8pnS7TD3QdkVX/dmBEJBVqqk7xJLFh ozYzWA6yM2rZzomrafHWShBBmOpcMltV0hoORk4J85xw+6sM7Xwt91JYBUzytDxJ FC8ZwvakGjMUakeU0L7BKoiknn3ZmInfMV6ZGMKeBB1vkiAhJi8ByxXz3LQgAzQz NX6PqUdw2TdWqKVW5GTsXnV5jTAsIudrtfHGJ4vfKVPrG/PRtxAWeNFSpOlm9mM8 fuDqOmYgGARBgjuaCXUXYw2dyohKItLVeM586EZ1A+BloP+lqe6xN/IdkbSfAvbl r0MWWMKa62AjDnB8GahzC8gNPkssDfydd23SQtGcVM0o253F4LGiLDw958nJIfiA W8tuHUngBJjmLrxw08zJfQHiPCMAEQEAAYkCPAQYAQgAJgIbDBYhBLnv4h5jQP/D S1UW45j6RVuezM8OBQJm/C5TBQkPCdHOAAoJEJj6RVuezM8OOGQQAIXaFN4z0CHs mAlW8xV3o0vWOmaHH+SVsLLmikPYlTNq8nX+m/13FcktWU2DPN5K5HT9PbrwKptq 88SgQm20fhhAViCVVowIAHgOdSn+rXQ+6uj4TAuuih7BLo5dxacmM3pjjl4PWH4C 1kgu68JrZJXax5rJOWlAjiBROBY680D/qNGH248A3zFFvwBERKUgSjft5v4sKTQQ BYPDSn2Ig1pgRNsjEUomHp3ZXNGJsK4DrVPtb8gs6NO6zR+5fqGZp+kgPzqgi/hI AxUGWE3zenkVRkwedvrpnGCm2Uz8EbxAxn7NaoGatioJO8PZ7XcfeJ5qbeCw9/wm sTO8eCD+sDSD8a7sYDVf8DAM7cbwcTJOi4O52qLLWAC66rzKh16rexWfFAmKZ1yd cmw+y8G+E8S+x3RJKRKt90XbWu/7pQBOmDKKnKsVt5w62w3FgYMgrVkgyf0FT/k0 EcYTUPpMcF0cgL6s6knAcuTqXyPmBi3T6z9cf93tV64HP7x+2+m5YnPCq5++8iA3 gEXkAfVF3wnftKn5B2KiNhwRvY8aJZ3/t9djueLvhBCRtz4y7oIi+bAUJ139eH9v 9zULlLmEW0pBygzr677PXg3vQRMiCI3TzwU4O0pi3DsOJG0MllQMMW0ZVnrNZG9r TemfhggIjGx1pOuDm9tdPdZjWaYzyOai =dd8e
-----END PGP PUBLIC KEY BLOCK-----