Security News > 2020 > April > Researcher Earns $20,000 From GitLab for Critical Vulnerability
A researcher has earned $20,000 from GitLab after reporting a critical vulnerability that could have been exploited to obtain sensitive information from a server and to execute arbitrary code.
The vulnerability was discovered in March by William Bowling, who noticed that an attacker could obtain arbitrary files from a server when moving an issue from one GitLab project to another.
As GitLab developers pointed out, an attacker could have exploited the vulnerability by creating their own project or group and moving an issue from one project to another.
In recent months, Bowling earned a total of more than $50,000 from GitLab for several critical and high-severity vulnerabilities.
GitLab reported in December 2019 that it had paid out over half a million dollars through its bug bounty program over the past year.
News URL
Related news
- Elastic Releases Urgent Fix for Critical Kibana Vulnerability Enabling Remote Code Execution (source)
- Moxa Issues Fix for Critical Authentication Bypass Vulnerability in PT Switches (source)
- Critical PHP RCE vulnerability mass exploited in new attacks (source)
- New Critical AMI BMC Vulnerability Enables Remote Server Takeover and Bricking (source)
- IBM scores perfect 10 ... vulnerability in mission-critical OS AIX (source)
- Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120) (source)
- Infoseccers criticize Veeam over critical RCE vulnerability and a failing blacklist (source)
- Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks (source)
- Critical Next.js auth bypass vulnerability opens web apps to compromise (CVE-2025-29927) (source)
- Critical Ingress NGINX Controller Vulnerability Allows RCE Without Authentication (source)