Skip to content

GitLab Next

Why GitLab
Pricing
Contact Sales
Explore

Sign in
Get free trial

blog post for AppSec's annual HackerOne bounty review

Review changes
Download
Patches
Plain diff

Nick Malcolm requested to merge 2022-hackerone-review into master Dec 07, 2022

Overview 69
Commits 26
Pipelines 26
Changes 1

Why is this change being made?

Each year GitLab's Application Security team likes to recap the highlights from GitLab's bug bounty program. Last year: https://about.gitlab.com/blog/2021/12/14/smashing-bugs-and-dropping-names-in-2021/

TODO

Confirm numbers & update post
- Total USD awards
- Number of researchers in 2022
- Number of researchers that submitted > 1 report
Decide if we want to highlight reports that stood out (even though no prizes this year). If so:
- (Objective) Most reputation points from submissions
- (Objective) Most reputation points from submissions from a new reporter
- (Subjective) Best written report
- (Subjective) Most innovative report
- (Subjective) Most impactful finding
- Non-blocking: email recipients to set them up with some swag store credit, using their [username]@wearehackerone.com alias
  - Created https://gitlab.com/gitlab-com/gl-security/appsec/appsec-team/-/issues/338+ to coordinate emailing

IMPORTANT!! Contributors

Don't discuss the contents of any still-confidential reports. We can nominate the researcher, but we can't talk about confidential report contents, including here in the MR. Use a Internal Note comment if needed.

@gitlab-com/gl-security/appsec let's brainstorm on the checklist above 🙇

Author Checklist

Provided a concise title for this Merge Request (MR)
Added a description to this MR explaining the reasons for the proposed change, per say why, not just what
- Copy/paste the Slack conversation to document it for later, or upload screenshots. Verify that no confidential data is added.
Assign reviewers for this MR to the correct Directly Responsible Individual/s (DRI)
- If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the Maintained by section on the page being edited
- If your manager does not have merge rights, please ask someone to merge it AFTER it has been approved by your manager in #mr-buddies
If the changes affect team members, or warrant an announcement in another way, please consider posting an update in #whats-happening-at-gitlab linking to this MR
- If this is a change that directly impacts the majority of global team members, it should be a candidate for #company-fyi. Please work with internal communications and check the handbook for examples.

Edited Dec 16, 2022 by Nick Malcolm

Merge request reports

Assignee

Reviewers

Request review from

Time tracking