What a long, strange trip 2020 has been. It started with hitting the million dollar bounties paid milestone in our HackerOne program, appearing at #6 on HackerOne’s 2020 Top Ten Public Bug Bounties program list (up from our #10 spot from 2019) and having our approach to security and bug bounty program featured in this HackerOne customer story. And then, like many across the globe, our year both screeched to a halt and raged on, as we all moved forward the best that we possibly could throughout a tumultuous year with a ton of eye-opening and unbelievable global happenings spanning the realm of those we’d soon forget, to those we can and should learn and grow from.

One thing remained a constant though: The awesomely talented security researchers who submit to our program kept finding small bugs and big bugs, and our teams kept on triaging, testing, and fixing them.

We’re ending 2020 with a look back at our bug bounty program and the people who have made it a success by making our product and company more secure: our bug bounty researchers!

2020 by the numbers

This year we:

Note: Data pulled is accurate as of Dec. 7, 2020.

Shout out to our Bug Bounty Program manager, James Ritchey for providing these program stats. 📣

Bug bounty program updates

We also rolled out a few new programs and initiatives to recognize and benefit contributors to our program.

This year, we:

Together, we are stronger 💪.

Now, onto the really good stuff. We’re excited to announce the winners of our hacking contest, which commemorates our second year as a public bug bounty program. 🎉 🥁 🐛

We announced a bug bounty contest in October and received 138 reports from 87 different individuals between October 1 and November 30, and 55 of them were from new reporters!

Thanks to all who contributed! 🙌

Congratulations to these 5 contest winners

Most reputation points from submissions to our program. Congratulations to @vaib25vicky who was the frontrunner for reputation points this period.

Most reputation points collected by a reporter new to our program. Congratulations to @fsky who clinched the highest reputation score of any new reporter to our program.

Best written report. Congratulations to @afewgoats, your DoS report outlined multiple attack scenarios, provided us with a cool script to reproduce, and was clever and well written!

Most innovative report. Congratulations to @anshraj_srivastava, your discovery surrounding private repositories was a first of its kind in our program.

Most impactful finding. Congratulations @ledz1996, your report on stealing an API OAuth token was eye-opening and innovative.

Since it is GitLab’s policy to share details via public GitLab.com issue 30 days after releasing a fix, more details surrounding the research from the best written report, most innovative report, and most impactful finding category winners will be released in future security release blog posts.

We cannot wait to send you one of these:

custom GitLab Mechanical Keyboard This Tanuki-powered Code V3 with gold-plated cherry mx brown switches will light up your hackety hack.

We know though, that 2020 has not been all cherry-plated switches. It's been a trying year for all of us, with plenty of graphs trending in all the wrong ways. There have been highlights though and this program has been a continued source of fresh, expert perspectives, aha moments and positive energy from the sheer skill and innovation the security researchers bring to our program. We’re grateful to have your continued contributions and partnership in making our product and company more secure. Here’s to a better 2021, together.

Happy hacking,

The GitLab Security team

30天免费试用极狐GitLab专业版

极狐GitLab不仅是源代码管理或CI/CD工具,它是一个覆盖完整软件开发生命周期和DevOps的开放式一体化平台。

免费试用
Git为Software Freedom Conservancy的注册商标,GitLab为GitLab B.V.的注册商标,我们已获授权使用“极狐GitLab”。

免费试用极狐GitLab 30天

有疑问? 联系我们

Gitlab x icon svg