'Exclusive swag' up for grabs as GitLab flings bug bounty scheme open to world+dog
Don't worry, there are cheques, too
DevOps outfit GitLab has opened its bug bounty scheme to world+dog, having paid out $200,000 last year and fixed "nearly 200 vulnerabilities reported to us".
"In managing a public bug bounty program, we will now be able to reward our hacker community for reporting security vulnerabilities to us directly through the program," said security director Kathy Wang in a blog post.
Get rich with Firefox or *(int *)NULL = 0 trying: Automated bug-bounty hunter build toutedREAD MORE
Through its HackerOne page, GitLab promised to pay out up to $12,000 for critical bugs responsibly disclosed to it. It also pledged to respond to submitted reports "within 5 business days" or fewer.
Back in 2014, GitLab first ran a public vuln disclosure programme, according to an online Q&A with Wang. While that did not offer bug bounties, the code repo site did start coughing up in December 2017 to selected partners.
As for why GitLab is taking the bug bounty program public, Wang said it was all down to "open source contribution values".
"We currently make the details of security vulnerabilities public 30 days after the mitigations have been released," she said, which compares rather well with some firms who take months to mention anything publicly – if at all.
GitLab will also be killing off support for TLS1.0 and 1.1 in a couple of weeks' time, and bounty-hunting hackers can look forward to receiving "exclusive HackerOne-only GitLab swag" as well as reasonably-sized cheques in return for disclosing vulns.