Update HackerOne reports based on remediation flow in GitLab

Problem to solve

With the HackerOne integration service, we want to automatically include HackerOne findings into GitLab remediation workflow. This is done by creating vulnerabilities (and issues) in GitLab, that can be managed as any other vulnerability.

Security researchers can then focus on the vulnerability itself, regardless of the source.

There are relevant information, for example the milestone where the vulnerability will be fixed, that can be useful in the original HackerOne thread. That's because external researchers may have no access to GitLab and where the remediation process is happening.

The service can create a flow from GitLab to HackerOne, and provide relevant feedback when needed.

Target audience

• Sam, Security Analyst, https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas#sam-security-analyst

Further details

Our Security Team already has a script to update the milestone. We can check how it works.

Proposal

Keep track of the relationship between the original HackerOne report and the GitLab vulnerability (and issue).

When some new information is available, for example a milestone is set, this can be pushed back in the original HackerOne thread so users can be aware of that.