GKS Bug Bounty Program

Program Overview

This bug bounty program invites ethical security researchers to help us identify and resolve security vulnerabilities in GitKraken systems. We value the security research community and are committed to working collaboratively to improve our security posture.
Please note: This program does not cover Git Integration for Jira. Git Integration for Jira has a separate bug bounty program in BugCrowd. If you wish to participate, you can create a BugCrowd researcher account, and we’ll happily add to the Bounty Program for Git Integration for Jira.

Get Started

  • Do not access, impact, destroy or otherwise negatively impact GitKraken customers, or customer data in any way.
  • Ensure that you use an email address that can be easily identified as a security researcher. Something like like [email protected]
  • Ensure you understand the targets, scopes, exclusions, and rules below.

Quick Links

Focus Areas

Below is a list of some of the vulnerability classes that we are seeking reports for:

  • Cross Instance Data Leakage/Access**

  • Server-side Remote Code Execution (RCE)

  • Server-Side Request Forgery (SSRF)

  • Stored/Reflected Cross-site Scripting (XSS)

  • Cross-site Request Forgery (CSRF)

  • SQL Injection (SQLi)

  • XML External Entity Attacks (XXE)

  • Path/Directory Traversal Issues

  • Access Control Vulnerabilities (Insecure Direct Object Reference issues, etc)

  • Authentication and authorization flaws / Privilege escalation

Ensure you review the out of scope and exclusions list for further details.

** Cross Instance Data Leakage/Access refers to unauthorized data access between customers.

Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a detailed explanation will be provided to the researcher – along with the opportunity to appeal, and make a case for a higher priority.

Note: If the same vulnerability exists in different hosting solutions of a single app, we may pay for this vulnerability once if the codebase and the fix is the same. We reserve the right to make this decision on a case by case basis.

Additionally, there are apps that have distinct listings, or appear separate, but do in fact share the same codebase or infrastructure. In such case we will only pay once across these apps, unless an environmentally unique vulnerability is discovered.

XSS on Self-Hosted instances that require administrator privileges will be scored as P5 Informational and not awarded any monetary bounties, as they don’t let the attacker compromise Confidentiality, Integrity or Availability any more than they already could as an administrator. SSRF on self hosted servers would also be treated in the same way.

Only the latest version of a self-hosted product is eligible for a reward. All vulnerabilities/exploits must be proven to work in the latest version of GitKraken product.

Targets

Target Type
gitkraken.dev
Website
api.gitkraken.dev
Website
GitKraken Desktop
Desktop Application

Bounties

Rating Bounty
P1
$2000
P2
$900
P3
$300
P4
$100
P5
Nothing

Out-of-Scope Targets

The following targets are specifially marked as out of scope.

Rules, Exclusions, and Scopes

Any domain/property of GitKraken not listed in the targets section is strictly out of scope (for more information please see the out of scope and exclusions sections above).

GitKraken Desktop, GitKraken Launchpad, and GitLens share a common backend and account management infrastructure; any issues found in one app will likely be found in the other. Please report all issues you find, although if a researcher submits an identical finding to one app where it has already been found on another, these submissions will be treated as duplicates.

Out-of-Scope

Anything not declared as a target or in scope above should be considered out of scope for the purposes of this bug bounty. However to help avoid grey areas, below are examples of what is considered out of scope.

  • Blind XSS must not return any user data that you do not have access to (e.g. Screen shots, cookies that aren’t owned by you, etc); when testing for blind XSS, please use the least invasive test possible (e.g. calling 1×1 image or nonexistent page on your webserver, etc).

  • When testing, please exercise caution if injecting on any form that may be publicly visible – such as forums, etc. Before injection, please make sure your payload can be removed from the site. If it cannot be easily removed, please check with us before performing the testing.

  • No pivoting or post exploitation attacks (i.e. using a vulnerability to find another vulnerability) are allowed on this program. DO NOT under any circumstance leverage a finding to identify further issues.

  • Any GitKraken website is out of scope for this bounty unless it is directly accessible from one of the targets or any associated services attached to the instance.

  • Any account or repository that you are not an owner of – do not impact GitKraken customers in any way.

  • Only the latest version of our products are eligible for a reward.

  • Any internal or development services

The following finding types are specifically excluded from the bounty

  • Lack of Rate Limiting on any of the targets.

  • The use of Automated scanners is strictly prohibited (we have these tools too – don’t even think about using them)

  • Descriptive error messages (e.g. Stack Traces, application or server errors).

  • Fingerprinting / banner disclosure on common/public services.

  • Clickjacking and issues only exploitable through clickjacking.

  • Logout Cross-Site Request Forgery (logout CSRF).

  • Content Spoofing.

  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.

  • Lack of Secure/HTTPOnly flags on non-sensitive Cookies.

  • Lack of Security Speedbump when leaving the site.

  • Weak Captcha / Captcha Bypass.

  • Login or Forgot Password page brute force and account lockout not enforced.

  • Username / email enumeration.

  • Missing HTTP security headers, specifically (OWASP Secure Headers Project | OWASP Foundation), e.g.

    • Strict-Transport-Security.

    • X-Frame-Options.

    • X-XSS-Protection.

    • X-Content-Type-Options.

    • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP.

    • Content-Security-Policy-Report-Only.

    • Cache-Control and Pragma

  • HTTP/DNS cache poisoning.

  • SSL/TLS Issues, e.g.

    • SSL Attacks such as BEAST, BREACH, Renegotiation attack.

    • SSL Forward secrecy not enabled.

    • SSL weak/insecure cipher suites.

  • Self-XSS reports will not be accepted.

    • Similarly, any XSS where local access is required (i.e. User-Agent Header injection) will not be accepted. The only exception will be if you can show a working off-path MiTM attack that will allow for the XSS to trigger.

  • Vulnerabilities that are limited to unsupported or deprecated browsers will not be accepted (i.e. “this exploit only works in IE6/IE7“).

  • Known vulnerabilities in used libraries, or the reports that an Atlassian product uses an outdated third party library (e.g. jQuery, Apache HttpComponents etc) unless you can prove exploitability.

  • Missing or incorrect SPF records of any kind.

  • Missing or incorrect DMARC records of any kind.

  • Source code disclosure vulnerabilities.

  • Information disclosure of non-confidential information (e. g. issue id, project id, commit hashes).

  • The ability to upload/download viruses or malicious files to the platform.

  • Email bombing/Flooding/rate limiting.

Code of Conduct

  • Test only against in-scope targets

  • Respect user privacy and data. You must ensure that customer data is not affected in any way as a result of your testing. Please ensure you’re being non-destructive whilst testing and are only testing on instances/accounts that you own.

  • In addition to above, customer data is not to be accessed in any way (i.e. no customer data is accessed, customer credentials are not to be used or “verified”, etc)
    – If you believe you have found sensitive customer data (e.g., login credentials, API keys etc) or a way to access customer data (i.e. through a vulnerability) report it, but do not attempt to successfully validate if/that it works.

  • Use of any automated tools/scanners is strictly prohibited and will lead to you being removed from the program (trust us, we have those tools too).

  • Reports need to be submitted in plain text (associated pictures/videos are fine as long as they’re in standard formats). Non-plain text reports (e.g. PDF, DOCX) will be asked to be resubmitted in plain text.

  • Grants/awards are at the discretion of GitKraken and we withhold the right to grant, modify or deny grants. But we’ll be fair about it.

  • Tax implications of any payouts are the sole responsibility of the reporter.

  • Do NOT conduct non-technical attacks such as social engineering, phishing or unauthorized access to infrastructure.

  • Do NOT test the physical security of GitKraken offices, employees, equipment, etc.

  • This bounty follows GitKrakens’s standard disclosure terms.

  • Do Not Disrupt our services or other users

  • Do Not Perform attacks that could harm availability

  • Do Not Execute social engineering attacks

  • Do Not Disclose vulnerabilities publicly before resolution

  • Do Not Violate any applicable laws or regulations

Reporting Guideline

Submit reports via our Bug Bounty Help Desk.

  • Clear vulnerability description

  • Step-by-step reproduction instructions

  • Proof of concept (screenshots, videos, code)

  • Potential business impact assessment

  • Suggested remediation steps (optional)

Payment Terms

  • If you are eligible to receive payment as part of the GitKraken Bug Bounty Program, GitKraken shall pay a one-time, gross payment in the dollar amount determined by the vulnerability rating. All payments are processed in USD.

  • Vulnerability ratings are based on target, priority, and assessed severity of the vulnerability as defined in the “Targets” section.

  • All rating, granting, awards, and payments are at the discretion of GitKraken, including the right to withhold, modify, and deny payments.

  • All recipients receiving payment must complete the requested tax and other documentation prior to payment. US taxpayers must provide an IRS Form W-9 and will receive a 1099 Form for federal tax income purposes.

  • GitKraken reserves the right to determine payment processing method; payment is generally processed via wire transfer.

Public Disclosure

Before disclosing an issue publicly we require that you first request permission from us. GitKraken will process requests for public disclosure on a per report basis. Requests to publicly disclose an issue that has not yet been fixed for customers will be rejected. Any researcher found publicly disclosing reported vulnerabilities without GitKraken’s written consent will have any allocated bounty withdrawn and disqualified from the program.

Safe Harbor

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;

  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;

  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and

  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.