'Exclusive swag' up for grabs as GitLab flings bug bounty scheme open to world+dog

DevOps outfit GitLab has opened its bug bounty scheme to world+dog, having paid out $200,000 last year and fixed "nearly 200 vulnerabilities reported to us".

"In managing a public bug bounty program, we will now be able to reward our hacker community for reporting security vulnerabilities to us directly through the program," said security director Kathy Wang in a blog post.

Through its HackerOne page, GitLab promised to pay out up to $12,000 for critical bugs responsibly disclosed to it. It also pledged to respond to submitted reports "within 5 business days" or fewer.

Back in 2014, GitLab first ran a public vuln disclosure programme, according to an online Q&A with Wang. While that did not offer bug bounties, the code repo site did start coughing up in December 2017 to selected partners.

As for why GitLab is taking the bug bounty program public, Wang said it was all down to "open source contribution values".

"We currently make the details of security vulnerabilities public 30 days after the mitigations have been released," she said, which compares rather well with some firms who take months to mention anything publicly – if at all.

GitLab will also be killing off support for TLS1.0 and 1.1 in a couple of weeks' time, and bounty-hunting hackers can look forward to receiving "exclusive HackerOne-only GitLab swag" as well as reasonably-sized cheques in return for disclosing vulns.

GitLab was last in the news for accidentally splitting its brains in half, as well as shifting its main site onto Google Cloud after Microsoft bought out rival site Github. ®