--- title: "GitLab's HackerOne Bug Bounty Program is public today" author: Kathy Wang author_gitlab: kathyw author_twitter: wangkathy categories: engineering image_title: '/images/blogimages/security-cover.png' description: "With 200 reported vulnerabilities and $200,000 awarded already, our bug bounty program is now public and open for your contributions." tags: community, security twitter_text: ".@gitlab's bug bounty program with @hacker0x01 is now public! Here's how you can contribute" postType: corporate featured: yes --- Today, we are happy to announce that our [HackerOne bug bounty program](https://hackerone.com/gitlab) is now public. Since we opened our private bounty program in December 2017, we have been preparing to take this program public by working through some of the challenges of managing a bug bounty program. We have awarded over $200,000 in bounties since the bug bounty program went live last year. This means we mitigated nearly 200 vulnerabilities reported to us. Our first response time to newly submitted findings has decreased significantly, from an average of 48+ hours to just seven. That is a significant reduction achieved through security automation, and will help us scale, as well as better engage the hacker community. <%= partial "includes/blog/content-newsletter-cta", locals: { variant: "b" } %> On average, our mean time to mitigation (MTTR) for critical security issues is currently fewer than 30 days. Our current goal is to now focus on bringing the MTTR metric for medium-high security issues to under 60 days, on average. Yesterday, we released a [webinar](https://www.hackerone.com/resources/gitlab-hps-for-startups) to announce our plans to be a public bug bounty program. In managing a [public bug bounty program](https://hackerone.com/gitlab), we will now be able to reward our hacker community for reporting security vulnerabilities to us directly through the program. The past year has been a great journey of learning about managing such a program, and we have plans to further expand upon our public program in 2019 and beyond. We would also like to acknowledge some of our top contributors from the hacker community, including [ngalog](https://hackerone.com/ngalog), [jobert](https://hackerone.com/jobert), and [fransrosen](https://hackerone.com/fransrosen). Check out the [program](https://hackerone.com/gitlab) to see how you can contribute!