CODE REPOSITORY GitLab has opened its bug bashing programme to anyone – and there’s some pretty tasty offers for participants.
Critical bugs, which GitLab defines as affecting over half of its customers, could be in line for a cool $12,000 for finding vulnerabilities. High impact bugs score $7500, mediums get $3000, and even if you find a bug that doesn’t actually affect anyone, it could still be worth a grand.
The deals aren’t quite as good as rival Github. Their top whack is $20000 and there’s also a league table of contributors.
Though smaller than GitHub, GitLab is doing nicely thank you very much, bolstered by Microsoft’s purchase of its rival, which ground gears for some developers whose open source dogma has been whacked out of joint. Mixed metaphors anyone?
GitLab’s Kathy Wang explains that whilst some select partners have been getting payouts for a while, from now on, anyone can be a bug-zapper:
“We have awarded over $200,000 in bounties since the bug bounty program went live last year. This means we mitigated nearly 200 vulnerabilities reported to us.”
She goes on to explain that the Mean Time to Mitigation (MTTR) – in other words, the time it takes for the bugs to be patched, has dropped to below 30 days for critical issues, rising to 60 days for those ranked as medium, adding: “In managing a public bug bounty program, we will now be able to reward our hacker community for reporting security vulnerabilities to us directly through the program.”
The first response also has a service level agreement, with 5 business days being the aim to acknowledge critical problems, with 10 business days covering lesser issues.
There are also penalties for anyone who abuses the system with false reports, sends data to 3rd parties, spams or ‘typosquats’.
Gitlab, which recently received a funding boost from merchant bank Goldman Sachs, has partnered with HackerOne to manage its bug bounties and there’s already a dedicated page for them that wants. μ
Source : Inquirer