Active Profile page prior to Account Confirmation

Problem to solve

Currently we are seeing multiple Spam accounts being created and the accounts aren't "Confirmed". The bad actor has partly achieved their goal by having a public profile page as it contains the relevant info they want to publish. Examples:

1. https://gitlab.com/992474871
2. https://gitlab.com/991780539
3. https://gitlab.com/987770826
4. https://gitlab.com/13169015com

Intended users

New Users

Further details

Benefits/Goal of curbing this issue:

1. Improve brand reputation as a result of "Cleaner" platform
2. Better metrics on (valid) account creation/platform growth
3. Reduce Abuse workload by reducing automated spam account creation

Proposal

1. Do not make User profile pages public prior to accounts being confirmed by user.
2. Account activation include reCatpcha V.3 and email

Documentation

Possibly: https://docs.gitlab.com/ee/security/user_email_confirmation.html https://about.gitlab.com/handbook/support/workflows/services/gitlab_com/confirmation_emails.html

Testing

Possible risk is increased friction on account creation.

What does success look like, and how can we measure that?

Success: Reduction in automated spam accounts being created

Measure:

1. Number of accounts being created
2. Number of Unconfirmed Accounts created
3. Number of Spam Accounts (blocked)

Links / references

Related to: https://gitlab.com/gitlab-com/gl-security/operations/issues/247

/label ~feature