GitLab CVSS Calculator

This calculator is used to calculate bounties for vulnerabilities reported to GitLab's Bug Bounty Program on HackerOne or via our Responsible Disclosure Policy. Answering the questions will calculate a severity score using the Common Vulnerability Scoring System (CVSS) which is used to calculate a suggested bug bounty based on the impact.

Other Bounty Examples

The suggested bounty amounts for issues that aren't exploitable but we would like to reward regardless are defined below:

  • Self-XSS: $100

Non-CVSS Bounties

For leakage of GitLab customer data or other PII, the suggested bounty amount would be as defined below. Note that each of these conditions presuppose that the data was leaked by GitLab and not the customer themselves:

  • Security-related documentation update: $100
  • Leaked customer names: $500
  • Leaked customer names, emails, financial data: $1,000
  • GitLab team member PII leaked by GitLab: $1,000 per affected team member, maximum $10,000
  • Leaked customer tokens, keys or credentials allowing access to non-GitLab environments: discretionary amount, we will attempt find an equivalence to if the customer system was a GitLab system and award based on that

For GitLab team member token disclosure, the suggested bounty amount would be as defined below. Note that to reach the "maintainer" level, the token needs to have maintainer access on gitlab-org/gitlab or an equivalent "production" project.

  • Leaked token for a non-prod system that doesn't match any criteria below: $500 (CI abuse possible)
  • Leaked token for a Developer+ direct member of a group or project under the gitlab-com or gitlab-org namespaces, without sensitive data: $1000
  • Leaked non-maintainer access token on gitlab.com: $7,500
  • Leaked maintainer access token on gitlab.com: $15,000
  • Leaked admin access token on gitlab.com: $35,000
  • Leaked product project maintainer or admin access token on staging.gitlab.com: $15,000 (no customer data, admin and maintainer have similar impact)

Reports about intended behavior resulting in an update of our documentation will be rewarded with a $100 bounty, as long as this update is security related.