GitLab CVSS Calculator
This calculator is used to calculate bounties for vulnerabilities reported to GitLab's Bug Bounty Program on HackerOne or via our Responsible Disclosure Policy. Answering the questions will calculate a severity score using the Common Vulnerability Scoring System (CVSS) which is used to calculate a suggested bug bounty based on the impact.
Other Bounty Examples
The suggested bounty amounts for issues that aren't exploitable but we would like to reward regardless are defined below:
- Self-XSS: $100
- Dangling DNS records pointing to an attacker-controllable service or IP address: $712
For leakage of GitLab customer data or other personal data, the suggested bounty amount would be as defined below. Note that each of these conditions presuppose that the data was leaked by GitLab and not the customer themselves:
- Security-related documentation update: $100
- Leaked customer names: $500
- Leaked customer names, emails, financial data: $1,000
- GitLab team member personal data leaked by GitLab: $1,000 per affected team member, maximum $10,000
- Leaked customer tokens, keys or credentials allowing access to non-GitLab environments: discretionary amount, we will attempt find an equivalence to if the customer system was a GitLab system and award based on that
For GitLab team member token disclosure, the suggested bounty amount would be as defined below. Note that to reach the "maintainer" level, the token needs to have maintainer access on gitlab-org/gitlab or an equivalent "production" project.
- Leaked token for a non-prod system that doesn't match any criteria below: $500 (CI abuse possible)
- Leaked token for a Developer+ direct member of a group or project under the gitlab-com or gitlab-org namespaces, without sensitive data: $1000
- Leaked non-maintainer access token on gitlab.com: $7,500
- Leaked maintainer access token on gitlab.com: $15,000
- Leaked admin access token on gitlab.com: $35,000
- Leaked product project maintainer or admin access token on staging.gitlab.com: $15,000 (no customer data, admin and maintainer have similar impact)
Reports about intended behavior resulting in an update of our documentation will be rewarded with a $100 bounty, as long as this update is security related.
- When evaluating Availability impacts for DoS that require sustained traffic, use the 1k Reference Architecture. The number of requests must be fewer than the "test request per seconds rates" and cause 10+ seconds of user-perceivable unavailability to rate the impact as