Please report any security vulnerabilities in GitLab itself via our HackerOne bug bounty program. If you do not desire to use HackerOne our next preferred method is to have you create a confidential issue following the instructions in our handbook. If neither of these methods work for you, feel free to email us at firstname.lastname@example.org. Please note initial vulnerability reports to the email@example.com email address will be redirected to HackerOne and confidential issue creation as these are the most efficent methods of Application Security Issue Triage.
Please refrain from requesting compensation for reporting vulnerabilities. If you want we will publicly acknowledge your responsible disclosure. We also try to make the confidential issue public after the vulnerability is announced, for an example see our impersonation feature issue. HackerOne also makes the bug reports public after 30 days if neither party objects, for an example see the report for a persistent XSS on public project page.
You are not allowed to search for vulnerabilities on GitLab.com itself. GitLab is open source software, you can install a copy yourself and test against that. You can either download CE, EE, or the GitLab Development Kit. If you want to perform testing without setting GitLab up yourself please contact us to arrange access to a staging server.
You can find more details on how we handle security releases here.
Please see our CVE Request Process to learn how to request a CVE for a public project hosted on GitLab.com.
When a vulnerability is suspected or discovered we create a confidential ~security issue to track it internally.
Security patches are pushed to dev.gitlab.org, which is not publicly accessible, and merged into the
They should not appear on GitLab.com until the security release has been announced and updated packages are available.
Details can be found under Critical Security Releases in
If you want to conduct red teaming against GitLab you will need written permission upfront. You can apply by emailing firstname.lastname@example.org your plans and experience. You need to get a written authorization letter from our Directory of Security. While you are engaged in red teaming activities you should coordinate with the Security Team so escalation (law enforcement, etc.) can be avoided. The Security Team will notify the Infrastructure Team as well as the VP of Engineering so that awareness is maintained.
GitLab Security <email@example.com>
-----BEGIN PGP PUBLIC KEY BLOCK----- mQENBFuql0YBCADpCTagFlvldEfM/yZaCZ8C/CxrqnOfdAK6FDqQrZpH/cvvoauL W09qXXsi1yZOWOjbKX/ax7qw/7Z2aAzvWOW+epBfmA7lyJOwtQfF81wKkqPSF+tK dlibgFX6QAgrR6G9IVOy72/MD/T2TnTL40zuYC3p23h7T5wkLqXUaHa9Fc3M2OOM N4TcIxfz5ypgEgBbF/VwCgnmKyUWxy7AXmLwFywCRJY60zKf57OAxJPn+0XAwh34 JJKC+CTh15RAh/rh6Oh2ihvjltybJgThQp2F72jNAgzkAflwqQeF7psjKXQxvNR7 fQVGndHG7/H1HUoOSRsRHvgLtJCDVsILS6STABEBAAG0JUdpdExhYiBTZWN1cml0 eSA8c2VjdXJpdHlAZ2l0bGFiLmNvbT6JAVQEEwEIAD4WIQS9bahGf4uoEgNnLIOh HMa1hu8TVwUCW6qXRgIbAwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAK CRChHMa1hu8TV2fKB/4ikVC42Xc/l5eh5TZMajYtr5C69bYdHOWkEtSCMXgp3x2X Ezy59cTxWSsD76hTr2ubSDzDQZ21eFlq6mZ98hsz9+y64C/3bO/3LFF6itPamznS oAYT9zFpNZVmeH4+0SLZBaDlsQOZ1EqjRGVySWRSCC/hnMfugCukEdQJrmq/QXvn 2D4/M3XEMHh/c2cExYYxafIuQ6zaxbISzfQOLFEZWNPk1foQVJd8XANYsglW8sdI BczMAVNVzLZ6z1feD+cXf1N3SVUNpocMcQW7sWkqZhw0TsowrMKSuPMHcEzZLPlH qs1meTUCWbMFLKwN1Byl5JOOTdKBwmp72oWOmDkYuQENBFuql0YBCAC7v0pbMG9u jjoPrQMngmKD26sMMCj4Tz+pOWhpPgvthv+0ufgsAwFA+Oc19Xdt+MaOhwLfQp8R meVpsxscZfG+2kzVpytl7edHpNxwy9vS1z7iTuEwBjAk0Fr9D1u7uUvYAEvkXXw6 2/WPZo95aSuTvKMussHUH1hxjDahHRyYn1j8Q6w7mVI9MtV8eCo2qpJjnJrIe3UK LDyXU9fbZws1Fzv0f71VroXPOTOs7FjEiD7a8d6Y7d8zI8gInCfw+b5Te1Qt5BqW eyRZpGtvWI1/gvOu8lCGa0FxXTHl+n3nQTbPruRC+lWWqC9uQwykCmewMilZA+A+ 2/7xUCSPnVW9ABEBAAGJATwEGAEIACYWIQS9bahGf4uoEgNnLIOhHMa1hu8TVwUC W6qXRgIbDAUJA8JnAAAKCRChHMa1hu8TV1QeB/4gWi/KjcXgrxt9paHuGHB46rRs fowa9Q2EkeFPCSoUQGmOYN1En/Si8rZ/VZyszFvHAQD2a56UizSorOTAGNVG5jUK 1kaCalQiKhCKWf8oUS7Cu+GXS9ESZHa4dfHIx5w+qED9tM6Nd6pNK4v4JFPQwN/F W4jkfRbwvreLreACHZ1OY2ZNhW8T2g8d3Vqv+D79BszIBzzpR0YGXmKqbI5zrxkU jdfBHttzAYPDrBxvqAcXZF6vKXRupxyrmYBwkygMM2JX3YoU7echKqQuKnsJPWKp 6v8dhgsUbu6r2UoYWmk1ha7USM76xXbYc6buHDEjogoZF1ydDyQhB3Um4aFP =LHOO -----END PGP PUBLIC KEY BLOCK-----
When a security vulnerability in some 3rd party product is discovered by GitLab team members the following disclosure guideline should apply: