
GitLab Vulnerability PoC: Exfiltrate and mutate repository via injected template - jakejarvis
https://hackerone.com/reports/446585
======
sytse
Very proud of our security team for the responsive communication and ensuring
the issue is made public [https://gitlab.com/gitlab-org/gitlab-
ce/issues/54189#note_12...](https://gitlab.com/gitlab-org/gitlab-
ce/issues/54189#note_128763324)

~~~
jakejarvis
Indeed, fantastic job!

Credit where credit's due to HackerOne co-founder jobert, too. Seems he's made
a decent living [0] out of making GitLab more secure.

On the flipside, as a GitLab user, I'm glad to see you guys are so generous
with bounties to encourage more detailed (and fascinating) reports like these.
:)

[0]
[https://hackerone.com/jobert?order_direction=DESC&order_fiel...](https://hackerone.com/jobert?order_direction=DESC&order_field=popular&filter=type%3Abounty-
awarded)

------
conradk
It looks like it took Gitlab only a day to verify and release a fix for this
issue. That's quick!

------
privateSFacct
Thank you for submitting this report. We will investigate the issue as soon as
possible. Due to our current workload, we will get back within _20 business
days_ with an update.

Best regards, GitLab Security Team

Luckily someone looked at this sooner than a month later! You can see where
Google's project zero came in - push for folks to prioritize security.

~~~
m4tthumphrey
I would assume that everything is screened as soon as it comes in. Then
anything that looks remotely urgent/dangerous is escalated accordingly.
Anything else is left pending. Under promise, over deliver via the message.

------
I_have_receipts
It would be really cool to see a blog post on how this was handled internally.
IR team notification, escalation paths, internal verification, how the product
team was notified, determining priority, how you decide when to disclose vs
not, etc.

