GitLab refills bug bounty pot – but still pays less than GitHub

GitLab bug bounty

GitLab has jacked up the bug bounties it pays to anyone spotting the more serious vulnerabilities in its platform, with $20,000 on offer for the worst flaws – though this is still far less than arch rival GitHub pays out for the most serious snafus.

The DevOps plus vendor launched its bug bounty programme a year ago, offering anyone who spotted a “critical” bug $12000. High impact bugs netted $7,000 and medium offenders $3,000, while mundane low impact bugs would score you $1,000.

This compared to a $555 to $20,000 range from GitHub, which also offered “points” and a look-at-me leaderboard.

As of this week, GitLab will pay out $20,000 for critical bugs, which potentially affect over 50 per cent of its users. High impact flaws – hitting multiple users –  get you $10,000.


Which is nice, but perhaps not as nice as the potential returns researchers can get spotting bugs on GitHub. 

The Microsoft tentacle now pays out $20,000 to $30,000 for the most critical bugs, but adds this band “is only a guideline and GitHub may reward higher amounts for exceptional reports.”

High severity bugs get $10,000 to $20,000, with $4,000 to $10,000 on offer for medium severity issues, while low severity issues merit $617 to $2,000.

Meanwhile, GitLab has shipped a patch release, v12.4.3, which fixes a series of bugs and regressions in previous versions – including the 12.4.2 patch release pushed out two weeks ago. The issues appear relatively minor, with the blog post announcing the release mercifully free of words like “critical”, “serious” and “update immediately”.

- Advertisement -