Since we opened our bug bounty program to the public in December 2018, our community of external security researchers submitted 1,282 reports and we paid out $515,899 in bounties.

This past September we told you we were iterating on how and when we pay out bounties. At that point we changed to a model where we pay out a part of the bounty right at the moment when a report is triaged. Now we're making more changes.

New! Increased bounties for critical and high severity reports

What’s better than money in your pocket faster? MORE money in your pocket faster.

Effective November 18, 2019, we are increasing the amount of bounty awards for new reports for critical and high vulnerabilities!

Critical (9.0 - 10.0) High (7.0-8.9) Medium (4.0-6.9) Low (0.1 - 3.9)
$20,000 $10,000 $3,000 $1,000

What isn’t changing:

• Program scope
• Severity criteria
• Rules of engagement
• Our SLAs for response, time to triage and time to bounty

The skills, depth of expertise and contributions of our security researcher community are strengthening the security of our product and our company in a very real way and we are excited to be able to recognize this with higher bounties. Thank you for your continued contributions and we look forward to your next report!

P.S. There’s still a little time left to participate in our bug bounty contest running October 1 through November 30. Report a bug and be entered to win a sweet piece of GitLab swag!

Photo by Banter Snaps on Unsplash



Git为Software Freedom Conservancy的注册商标,GitLab为GitLab B.V.的注册商标,我们已获授权使用“极狐GitLab”。

免费试用极狐GitLab 30天

有疑问? 联系我们

Gitlab x icon svg