Credit where credit's due to HackerOne co-founder jobert, too. Seems he's made a decent living [0] out of making GitLab more secure.
On the flipside, as a GitLab user, I'm glad to see you guys are so generous with bounties to encourage more detailed (and fascinating) reports like these. :)
Appreciate the transparency. Was there any evidence of exploitation found? At least the researcher should have been identified as true positive compromising their own account to ensure post mortem investigation was correct and no other customers were impacted/exploited by a real adversary.
Thank you for submitting this report. We will investigate the issue as soon as possible.
Due to our current workload, we will get back within 20 business days with an update.
Best regards,
GitLab Security Team
Luckily someone looked at this sooner than a month later! You can see where Google's project zero came in - push for folks to prioritize security.
I would assume that everything is screened as soon as it comes in. Then anything that looks remotely urgent/dangerous is escalated accordingly. Anything else is left pending. Under promise, over deliver via the message.
Thank you for your feedback and comment. The message is generated by our automation capability. We want to keep hackers engaged by making sure they know that the issue is successfully submitted. We usually review the report sooner than promised, but want to set expectations accordingly. The automation calculates the number of business days based on current number of reports pending, so it is not always going to be the same message.
It would be really cool to see a blog post on how this was handled internally. IR team notification, escalation paths, internal verification, how the product team was notified, determining priority, how you decide when to disclose vs not, etc.
11 comments
[ 4.3 ms ] story [ 38.7 ms ] threadCredit where credit's due to HackerOne co-founder jobert, too. Seems he's made a decent living [0] out of making GitLab more secure.
On the flipside, as a GitLab user, I'm glad to see you guys are so generous with bounties to encourage more detailed (and fascinating) reports like these. :)
[0] https://hackerone.com/jobert?order_direction=DESC&order_fiel...
Best regards, GitLab Security Team
Luckily someone looked at this sooner than a month later! You can see where Google's project zero came in - push for folks to prioritize security.