GitLab has gone public with details of its bug bounty programme, having doled out $200,000 over the last year to eager vuln spotters.
This works out at roughly $1,000 per bug spotted, though the Hackerone page for the programme shows rewards ranging from $150 to $11,000 to date.
Under the just announced programme critical bugs – those affecting more than half of GitLab’s customers – earn their spotters $12,000.
High impact bugs merit $7,000, medium earns $3,000, and even spotting a low impact bug – ie, one that affects no actual customers – will make you $1,000. However, rewards are at the discretion of GitLab.
By way of comparison, GitHub’s bug bounty scheme offers rewards from $555 to $20,000 – as well as points, and a “leaderboard” highlighting top spotters.
Overall, said GitLab, 196 reports were “resolved”, with 106 “hackers” thanked for their contributions. GitLab said it had reduced its first response time to 7 hours, from 48 hours plus.
It added, “On average, our mean time to mitigation (MTTR) for critical security issues is currently less than 30 days. Our current goal is to now focus on bringing the MTTR metric for medium-high security issues to less than 60 days, on average.”