GitLab CVSS Calculator

This calculator is used to calculate bounties for vulnerabilities reported to GitLab's Bug Bounty Program on HackerOne or via our Responsible Disclosure Policy. Answering the questions will calculate a severity score using the Common Vulnerability Scoring System (CVSS) which is used to calculate a suggested bug bounty based on the impact.

Other Bounty Examples

The suggested bounty amounts for issues that aren't exploitable but we would like to reward regardless are defined below:

  • Self-XSS: $100
  • Dangling DNS records pointing to an attacker-controllable service or IP address: $712

Non-CVSS Bounties

For leakage of GitLab customer data or other personal data, the suggested bounty amount would be as defined below. Note that each of these conditions presuppose that the data was leaked by GitLab and not the customer themselves:

  • Security-related documentation update: $100
  • Information disclosure of unpatched GitLab security issues: $500, or bounty based on the amount of information leaked
  • Leaked customer names: $500
  • Leaked customer names, emails, financial data: $1,000
  • GitLab team member personal data information leaked by GitLab (excluding email): $100 per affected team member, maximum $500. Please note that reports on these leaks through YouTube will not be awarded between 15th of August and 31th of October, as we are remediating a known issue.
  • Leaked customer tokens, keys or credentials allowing access to non-GitLab environments: discretionary amount, we will attempt find an equivalence to if the customer system was a GitLab system and award based on that

For GitLab team member token disclosure, the suggested bounty amount would be as defined below. Note that to reach the "maintainer" level, the token needs to have maintainer access on gitlab-org/gitlab or an equivalent "production" project.

  • Leaked token for a non-prod system that doesn't match any criteria below: $500 (CI abuse possible)
  • Leaked token for a Developer+ direct member of a group or project under the gitlab-com or gitlab-org namespaces, without sensitive data: $1000
  • Leaked non-maintainer access token on $7,500
  • Leaked maintainer access token on $15,000
  • Leaked admin access token on $35,000
  • Leaked product project maintainer or admin access token on $15,000 (no customer data, admin and maintainer have similar impact)

Reports about intended behavior resulting in an update of our documentation will be rewarded with a $100 bounty, as long as this update is security related.

Clarifying notes