Case Study: GitLab strengthens product security and resolves 95 vulnerabilities with HackerOne's public bug bounty program

GitLab - Customer Case Study

GitLab partnered with HackerOne to strengthen security around its open‑core source code and to meet two key goals: secure the product and protect the company. Faced with a high developer-to-appsec ratio and the limits of manual review and automated scanning, GitLab adopted reactive measures—specifically a public bug bounty—to catch vulnerabilities that other controls might miss.

Launched in December 2018, the public bug bounty program on HackerOne drove strong engagement and measurable outcomes: 95 security findings resolved, more than $300,000 in bounties paid, and 35+ hackers rewarded. In the first three months the program received 266 reports (avg. 88.6/month) with 76 triaged as valid and 89 resolved; GitLab also emphasizes transparency (publishing details 30 days after a patch), automated triage and responsiveness, competitive rewards, and growing repeat participation to continuously improve product security.

GitLab

Kathy Wang

Senior Director of Security