Case Study: GitLab achieves stronger continuous security and over $1M in bounty payouts with HackerOne

An Inherent Focus on Transparency and Community

GitLab, an open core DevOps software company, needed to scale its security practices to protect its platform for over 100,000 customers, aligning with its transparent and community-driven ethos. The challenge was to augment its internal security team with external expertise without sacrificing its core values or rapid growth. GitLab partnered with the vendor HackerOne to launch a hacker-powered security program, starting with a vulnerability disclosure policy (VDP).

The solution from HackerOne involved a "crawl, walk, run" approach, beginning with a non-paying VDP that evolved into a private and then a public bug bounty program. This allowed GitLab to methodically build its triage and response processes. The results were significant: GitLab paid over $1.2 million in bounties, resolved more than 550 vulnerability reports, and achieved an average response time of one hour to researcher submissions. The HackerOne program provided continuous security testing from a global community, solidifying GitLab's defense-in-depth strategy.

GitLab

James Ritche

Bug Bount Program Manager