Security News > 2020 > April > Researcher Earns $20,000 From GitLab for Critical Vulnerability
A researcher has earned $20,000 from GitLab after reporting a critical vulnerability that could have been exploited to obtain sensitive information from a server and to execute arbitrary code.
The vulnerability was discovered in March by William Bowling, who noticed that an attacker could obtain arbitrary files from a server when moving an issue from one GitLab project to another.
As GitLab developers pointed out, an attacker could have exploited the vulnerability by creating their own project or group and moving an issue from one project to another.
In recent months, Bowling earned a total of more than $50,000 from GitLab for several critical and high-severity vulnerabilities.
GitLab reported in December 2019 that it had paid out over half a million dollars through its bug bounty program over the past year.
News URL
Related news
- Mozilla Patches Critical Firefox Bug Similar to Chrome’s Recent Zero-Day Vulnerability (source)
- Researchers Uncover 46 Critical Flaws in Solar Power Systems From Sungrow, Growatt, and SMA (source)
- OpenAI now pays researchers $100,000 for critical vulnerabilities (source)
- BlackLock Ransomware Exposed After Researchers Exploit Leak Site Vulnerability (source)
- Gladinet’s Triofox and CentreStack Under Active Exploitation via Critical RCE Vulnerability (source)
- Critical Apache Roller Vulnerability (CVSS 10.0) Enables Unauthorized Session Persistence (source)
- Critical Erlang/OTP SSH Vulnerability (CVSS 10.0) Allows Unauthenticated Code Execution (source)
- Critical Commvault RCE vulnerability fixed, PoC available (CVE-2025-34028) (source)
- Researchers Identify Rack::Static Vulnerability Enabling Data Breaches in Ruby Servers (source)
- Critical Windows Server 2025 dMSA Vulnerability Enables Active Directory Compromise (source)