11 comments

[ 4.3 ms ] story [ 38.7 ms ] thread
It looks like it took Gitlab only a day to verify and release a fix for this issue. That's quick!
Very proud of our security team for the responsive communication and ensuring the issue is made public https://gitlab.com/gitlab-org/gitlab-ce/issues/54189#note_12...
(comment deleted)
Indeed, fantastic job!

Credit where credit's due to HackerOne co-founder jobert, too. Seems he's made a decent living [0] out of making GitLab more secure.

On the flipside, as a GitLab user, I'm glad to see you guys are so generous with bounties to encourage more detailed (and fascinating) reports like these. :)

[0] https://hackerone.com/jobert?order_direction=DESC&order_fiel...

Appreciate the transparency. Was there any evidence of exploitation found? At least the researcher should have been identified as true positive compromising their own account to ensure post mortem investigation was correct and no other customers were impacted/exploited by a real adversary.
Thank you for submitting this report. We will investigate the issue as soon as possible. Due to our current workload, we will get back within 20 business days with an update.

Best regards, GitLab Security Team

Luckily someone looked at this sooner than a month later! You can see where Google's project zero came in - push for folks to prioritize security.

Underpromise and overdeliver?
I would assume that everything is screened as soon as it comes in. Then anything that looks remotely urgent/dangerous is escalated accordingly. Anything else is left pending. Under promise, over deliver via the message.
Thank you for your feedback and comment. The message is generated by our automation capability. We want to keep hackers engaged by making sure they know that the issue is successfully submitted. We usually review the report sooner than promised, but want to set expectations accordingly. The automation calculates the number of business days based on current number of reports pending, so it is not always going to be the same message.
Question to HackerOne customers – has it worked well for you? We're a small company but we want to get ahead of these kinds of things.
It would be really cool to see a blog post on how this was handled internally. IR team notification, escalation paths, internal verification, how the product team was notified, determining priority, how you decide when to disclose vs not, etc.