Coordinated Disclosure Process

1. You are here:
2. Coordinated Disclosure Process

Reporting a Vulnerability about GitLab or GitLab.com

Please report any security vulnerabilities in GitLab itself via our HackerOne bug bounty program. If you do not desire to use HackerOne or if your finding is out of scope of the bug bounty program but you believe it's important to communicate it to us our next preferred method is to have you create a confidential issue following the instructions in our handbook. Please refrain from requesting compensation for reporting vulnerabilities.

If you are looking to discover vulnerabilities in GitLab, please see our HackerOne bug bounty policy for details on rules of engagement, scope, and additional information.

Emailing [email protected] is no longer a supported disclosure method and will result in an automated response with further instructions.

Vulnerability Disclosure

All vulnerabilities will be made public via our issue tracker 30 days after releasing the fix. We try and redact all information considered sensitive (such as cookies, tokens, data details). The only time we will make an exception and not make a vulnerability public is when it contains sensitive data which we are unable to redact or remove from the report.

Security Releases

You can find details on how we handle security releases here. On our website you can also find more about the availability and security of GitLab.com.

Reporting a Vulnerability in Public Projects Hosted on GitLab.com

Please see our CVE Request Process to learn how to request a CVE for a public project hosted on GitLab.com.

Penetration Testing Rules of Engagement

If you want to conduct penetration testing against GitLab.com you will need written permission upfront. Customers can contact Support or the Field Security team.

While you are engaged in penetration testing activities you should coordinate with the Security Team so escalation can be avoided. The Security Team will notify the Infrastructure Team as well as the VP of Engineering so that awareness is maintained.

Public GPG Key

• GitLab Security <[email protected]>
• ID: 98FA455B9ECCCF0E
• Fingerprint B9EF E21E 6340 FFC3 4B55  16E3 98FA 455B 9ECC CF0E

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBF93KoUBEADQZg8BHcy2d09wweb8BsKBr9tJiY8OTz6Hx/OTtQVRVLiQph0t
/e+tET24GZ2DgfMtW7Qel4rIcE748d+svwr/JLp2k9Dtgn5HRWvCA2m95oYlP1qA
8zUmD50IzxrswHx2XmAOX/amlQlYgNoIJyrID22El7YZY8qOtTjf3gCFKdUngM6K
m0gfV7rl3ahnBOs0ZAIke6/EQieTL1YHHaPtPDankCTe9elcY4eoHjy0GepEgnit
032DiybTcyoVNPmbrgWXAGJQkaCS5KOc4iYa8dYc5VQv8jG+GsvR99ji0avL5Ov0
BChEvIwUVQqwXcEdgB/mrw52SpTvoMsVKPxRB+Mx/FlFans9utTqEy65Cflf1AoI
OHYF15DhA3xzYCESZN/AVvYkIqi8K2D35GIlXoWlwKPh4bXQQG8g0/8YqRTsk8o4
wRVfH6Te8rY864JcKTV413FgcUVvGA6rttacklbUmRikn6EW0LhA4FF0WMg0fGc9
W+OUjQHxH/BRKNSU87mbXEbTBKj/Orq16EigsRUw7qbgxaQ0WQ+9fYDEJSNH9efN
muMjsExMd/hDxxU8CLoHVZRANgxCSZQ3fwUNXL1QduW0bpP2fkhqEUYIbaZbxLEk
EbD5VpBbV9J6ezwy5BMIByp5AIxt9RfHTvpbtMc1kbivYvSSTVuO5klLrwARAQAB
tGBHaXRMYWIgU2VjdXJpdHkgKFNlY3VyaXR5QGdpdGxhYi5jb20gUEdQIEtleSBm
b3IgZW5jcnlwdGVkIGNvbW11bmljYXRpb25zKSA8c2VjdXJpdHlAZ2l0bGFiLmNv
bT6JAlQEEwEIAD4CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQS57+IeY0D/
w0tVFuOY+kVbnszPDgUCZvwuMAUJDwnRqwAKCRCY+kVbnszPDuteD/sFxlXNHFkJ
pnmsayDOwCfcwt8Lf6wLDtwzmwHrwGhkcshxQxTNHdebA/qBP4Or8ivDolVQLeMf
SE3rDGfkWLDcJtqXdwNnqzxSNAfOuRnMouEd3Fk3UF4l7rHuJtyYC1/4Pporf4BR
FMLe3ttvIJBUDqHHRJA9tp9j9i1FT+sFv3569mpCfR8yeBG4dwRKGbl6V8RY42Jl
iR0YbEXaHI8pL7YepD/g9PxUcfYVOoejm/9dMtO5FLavu++jyo70usPt8DXRWlxo
/NFmvjA59ClmHJCj/orCnd7wNqs1WULZD4q4vA1tU/kvuHnwsHj2Alp12sjW/1Lb
ByBf8KMAbodQJAR1pP8HJo8sfWlMFdVTdOR/PjTN0+a6JOXwo3E/gU1Wu3RBp66+
0YeVqZYEammiDNvavU+eXDC5nwlRedqm7gUh7uYPi0qyX8CM/0DZP2WsaHwm8I1K
I32pxVXnZqcYz7uRHbsOPPp5d9iwPgknPPyAY1SJQxNdmbZhTjsIL4/wqnZsuPCK
WIcfNQc2TNErw5w+3IBh5FlGkmhfyUWIlLDI+p7Nr7+KfTf9w0kIixbBz/QNUlt1
gQi/jusKta5JzT4U9UUbQOP+1+JzEOWLtjmFWswOJggRIteVaZa/MIz4MsC06Sj4
QuFHyDTcdAkNlMe/xM93kX4HRAxy+Ef8JLkCDQRfdyqFARAAxdAXr/Ddk6ijbkNC
56QT+Cd+vVv6FthWJY2UfRflZ4tBmfMb9BlTfPBq+fcJG9kSuaFZx0YDs6iy2rTH
mdSi/S5ICfTOsUfDQIfqzsCl7BIEX1ogzNTvVY4gNJ1JaZiM91B8yH574oeo04VE
D+//r0+/HtdB2KZ5tl5LCwKCoueWcXWSOhRPPP56em0mECMkbLgoTmxVvxgPzgzW
AbB7a13PPZSVhIoAZ1qDWRk0oEpTi88AI22COH7Kwd0AuEGpJCmqboUY7Sl5Vd2e
zOBOrDx1N1riQ3h1oAZjJDSKQHeGpP+/tL8pnS7TD3QdkVX/dmBEJBVqqk7xJLFh
ozYzWA6yM2rZzomrafHWShBBmOpcMltV0hoORk4J85xw+6sM7Xwt91JYBUzytDxJ
FC8ZwvakGjMUakeU0L7BKoiknn3ZmInfMV6ZGMKeBB1vkiAhJi8ByxXz3LQgAzQz
NX6PqUdw2TdWqKVW5GTsXnV5jTAsIudrtfHGJ4vfKVPrG/PRtxAWeNFSpOlm9mM8
fuDqOmYgGARBgjuaCXUXYw2dyohKItLVeM586EZ1A+BloP+lqe6xN/IdkbSfAvbl
r0MWWMKa62AjDnB8GahzC8gNPkssDfydd23SQtGcVM0o253F4LGiLDw958nJIfiA
W8tuHUngBJjmLrxw08zJfQHiPCMAEQEAAYkCPAQYAQgAJgIbDBYhBLnv4h5jQP/D
S1UW45j6RVuezM8OBQJm/C5TBQkPCdHOAAoJEJj6RVuezM8OOGQQAIXaFN4z0CHs
mAlW8xV3o0vWOmaHH+SVsLLmikPYlTNq8nX+m/13FcktWU2DPN5K5HT9PbrwKptq
88SgQm20fhhAViCVVowIAHgOdSn+rXQ+6uj4TAuuih7BLo5dxacmM3pjjl4PWH4C
1kgu68JrZJXax5rJOWlAjiBROBY680D/qNGH248A3zFFvwBERKUgSjft5v4sKTQQ
BYPDSn2Ig1pgRNsjEUomHp3ZXNGJsK4DrVPtb8gs6NO6zR+5fqGZp+kgPzqgi/hI
AxUGWE3zenkVRkwedvrpnGCm2Uz8EbxAxn7NaoGatioJO8PZ7XcfeJ5qbeCw9/wm
sTO8eCD+sDSD8a7sYDVf8DAM7cbwcTJOi4O52qLLWAC66rzKh16rexWfFAmKZ1yd
cmw+y8G+E8S+x3RJKRKt90XbWu/7pQBOmDKKnKsVt5w62w3FgYMgrVkgyf0FT/k0
EcYTUPpMcF0cgL6s6knAcuTqXyPmBi3T6z9cf93tV64HP7x+2+m5YnPCq5++8iA3
gEXkAfVF3wnftKn5B2KiNhwRvY8aJZ3/t9djueLvhBCRtz4y7oIi+bAUJ139eH9v
9zULlLmEW0pBygzr677PXg3vQRMiCI3TzwU4O0pi3DsOJG0MllQMMW0ZVnrNZG9r
TemfhggIjGx1pOuDm9tdPdZjWaYzyOai
=dd8e
-----END PGP PUBLIC KEY BLOCK-----

Disclosure Guidelines for Vulnerabilities in 3rd Party Software

When a security vulnerability in some 3rd party product is discovered by GitLab team members the following disclosure guideline should apply:

• The first priority is our users.
  • Therefore for any vulnerability discovered in a dependency of GitLab we'll make sure our users are not affected.
• For the following disclosure process our priority is to get the reported vulnerability fixed.
• If the 3rd party acknowledges the vulnerability and is working on a patch, we will keep vulnerability details confidential until the issue is fixed.
  • If possible, we will verify the fix before it is being published.
  • In special cases we might release details without a fix to make the public aware. This might, for instance, be the case when a vulnerability is being actively exploited.
• We aim for a fix within a 90 days deadline.
  • We will treat this as a soft deadline and help to meet the deadline when reporting.
  • We will try to coordinate with the affected 3rd party to have a patch released before we release an advisory.
• Resulting advisories will be published in the disclosures repository.

security.txt

GitLab.com provides a security.txt (RFC 9116) file at https://gitlab.com/.well-known/security.txt.

Updating security.txt

1. Create updated security.txt content and save it as unsigned.txt
2. Find the [email protected] PGP key in 1Password, and copy its secret reference
3. Import the private key to your local gpg keychain

    $ op read <SECRET_REFERENCE_HERE> | gpg --import 
   

4. Sign the message. If prompted, DO NOT store the private key password in MacOS keychain.

    $ gpg --clearsign --local-user <keyID> --output signed.txt unsigned.txt
   

5. Verify the content and that the signature is correct

    $ cat signed.txt
    $ gpg --lsign-key B9EFE21E6340FFC34B5516E398FA455B9ECCCF0E
    $ gpg --verify signed.txt
       
    gpg: Good signature from "GitLab Security ([email protected] PGP Key for encrypted communications) <[email protected]>" [full]
   

6. IMPORTANT! Remove the private key from your computer

    $ gpg --delete-secret-keys <keyID>
   

7. Open a Change Request, link to the guide on changing security.txt in GitLab, and provide the contents of signed.txt.