GitLab Security Shorts, 29 Oct 2021

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: Bug Bounty Hunter Riccardo Padovani discusses his approach to hunting bugs on GitLab

Description

Learn more about how Riccardo Padovani (@rpadovani on HackerOne), GitLab Hero and Bug Bounty contributor, conducts security research on GitLab to identify vulnerabilities as part of our HackerOne bug bounty program.

See his full AMA at: https://youtu.be/SK_vuZCafZ4.
Check out his "Ask a Hacker" blog: https://about.gitlab.com/blog/2020/11/10/rpadovani-ask-a-hacker/.

Learn more about GitLab security programs at https://about.gitlab.com/security/ and our HackerOne program at https://hackerone.com/gitlab.

A

So mainly, there are different things I can do so one thing usually is catching up with all the latest changes you have deployed or latest feature I've been presented and for this is very useful. Your blog, since the 23 of the month, you deployed a new version and you have a long blog post with all the new features you I can play tweets so like now and these last few months, I've took a look to the iteration.

A

Then now you can collect issue by iterations um is a very useful feature, so we already use it during my job. We use for planning, sprints, and so I've took a look if, for any reason, the feature itself or the api behind it like graphql or rest.

A

uh If they leak some data, I haven't found anything so far, but they suppose that is because has it been implemented similar to the milestone, so nothing very new, um then sometimes I take a look to the source code, so maybe I insert the most recent merged, merge requests or just going around to some modules in the gitlab code base and the other thing. I have a list of small issues that are not like real vulnerabilities, just some issues or some strange behavior, and I try to change them together or see.

A

If I can change something else to find.

A