Commit 3b0cb72d authored by James Ritchey's avatar James Ritchey

Merge branch 'es-add-h1-award-process' into 'master'

Add process for awarding ultimate license to H1 reporter

See merge request !42325
parents f06822e5 54573bac
Pipeline #122590996 passed with stages
in 10 minutes and 20 seconds
......@@ -1200,6 +1200,25 @@ When this happens inform the researcher why it is not a vulnerability. It is up
When GitLab receives reports, via HackerOne or other means, which might affect third parties the reporter will be encouraged to report the vulnerabilities upstream. On a case-by-case basis, e.g. for urgent or critical issues, GitLab might proactively report security issues upstream while being transparent to the reporter and making sure the original reporter will be credited. GitLab team members however will not attempt to re-apply unique techniques observed from bug bounty related submissions towards unrelated third parties which might be affected.
#### Awarding Ultimate Licenses
GitLab reporters with 3 or more valid reports are eligible for a 1-year Ultimate license for up to 5 users. As per the [H1 policy](https://gitlab.com/gitlab-com/gl-security/hackerone/configuration/-/blob/master/program-policy.md#gitlab-ultimate-license), reporters will request the license through a comment on one of their issues. When a reporter has requested a license, the following steps should be taken:
1. Validate that the three reports were valid. That means they are `Triaged` or `Resolved`.
1. Validate that the three reports have not been used to obtain a previous license.
1. If the reports are not valid, respond to the reporter on H1 explaining the reason the license is not being issued.
1. If the reports are valid, create the license on `https://license.gitlab.com`,
- For `Name` use the reporters fullname if available, otherwise their H1 handle
- For `Company` use `H1 Reporter Award`
- For `Email` use the reporter's `[username]@wearehackerone.com` email address
- `User Count` is up to 5
- `GitLab Plan` is `Ultimate`
- The license should start the day of issue and expire in 1 year
1. Enter the associated license information in the [H1 License Award sheet](https://docs.google.com/spreadsheets/d/1qJZ9jfIvQuSU5u4odj4Db_CRKJ_GHegtSZQvJx36FUE/edit)
1. Reply to the report on H1 use the `20 - Ultimate License Creation` template.
The license will be sent to the reporter by the License app. If the reporter claims that the license has not arrived, the app can be used to resend the license.
When that happens, the creation of a new license should be avoided.
### Security Dashboard Review
**Frequency:** Daily
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment