Commit f8a48a7a authored by James Ritchey's avatar James Ritchey 💬 Committed by Kathy Wang

Registration Runner Token Leak Incident blog post

parent c941735b
---
title: "An Update on Project Runner Registration Token Exposed Through Issues Quick Actions Vulnerability"
categories: security
author: Kathy Wang
author_gitlab: kathyw
tags: security
---
## Background
On March 20, 2019 we released a [critical security release](https://about.gitlab.com/2019/03/20/critical-security-release-gitlab-11-dot-8-dot-3-released/) for a vulnerability in quick actions for issues that can expose project runner registration tokens to unauthorized users. This was originally reported to us on March 14 through our public HackerOne program (identified by [jobert](https://hackerone.com/jobert)).
## Response & Mitigation
In order to mitigate this issue, we developed and applied a patch on GitLab.com on March 17th 2019, and expedited the release of a critical security fix to ensure that both ourselves, and our self-managed customers received a timely mitigation.
On March 24th 2019 we reset runner registration tokens for all projects hosted on GitLab.com. If you are a GitLab.com user, and have automation in place that relies on runner registration tokens, please have the tokens reset following instructions from the official documentation (https://docs.gitlab.com/ee/ci/runners/#resetting-the-registration-token-for-a-project). If you do not have automation in place that relies on running registration tokens, no further action is required on your part.
We have performed an initial investigation and found no evidence to suggest that there has been any security compromise to any project as a result of this issue, but we will continue to investigate and explore ways to help better detect such issues moving forward.
In keeping with our company value of transparency we also believe in communicating about such incidents clearly and promptly. We apologize for the impact this issue may have caused to our users. GitLab takes securing your information and your data extremely seriously. We have significantly grown the size of our internal security team in the last six months, with further plans to grow in 2019 and beyond. We will learn from this incident as we continue to improve upon our security posture even further.
If you have any questions, please contact support@gitlab.com.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment