The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features or functionality remain at the sole discretion of GitLab Inc.
In early 2021, we witnessed the cryptomining CI co-evolution, where free SaaS continuous integration platforms are being seriously compromised by the cryptocurrency mining attacks. In the wake of these industry-wide attacks, we instrumented a few practices to mitigate abuse for on GitLab.com, which impacts the experience of free and trial users.
Going forward, we needed a more proactive approach for monitoring, detecting, evaluating, preventing, and reacting to pipeline abuse. Consequently the Instance Resiliency category focuses on features that help prevent and stop not only cryptomining abuse, but also any kind of behavior that might potentially compromise the safety of our users or the stability of our platform. Most measures to prevent abuse also tend to introduce friction for end users. This category is responsible for carefully weighing the tradeoffs of keeping the platform secure while also providing for a good end user experience.
Many issues are intentionally confidential despite our value of transparency. This is because we don't want to make it obvious to abusers the exact details of our controls. We aren't relying on "security by obscurity"; however, we also don't want to make it easier for the abusers.
We rely on several teams to make this program successful:
DRI | EM | Trust & Safety | AppSec | Growth PM |
---|---|---|---|---|
Sam White | Jay Swain | Joaquin Fuentes | Greg Myers | Sam Awezec |
Identity Verification | Dashboard |
Pipeline Validation Service which has rules that catch certain coding behaviors to stop bad actors before pipelines are run | Dashboard |
Quota of compute minutes enforcement and limits across various levels of GitLab.com | Dashboard |
Currently the team is focused on making changes to the signup flow to leverage more advanced data points. This will allow us to reduce friction for legitimate users while still keeping the platform safe from abusive users. The priority list for the Anti-Abuse group can be viewed here.
Last Reviewed: 2024-04-16
Last Updated: 2024-04-16