GitLab awards researcher $20,000, patches remote code execution bug

From zdnet.com

GitLab has awarded a cybersecurity researcher $20,000 for reporting a serious remote code execution vulnerability on the platform.

Discovered by William “vakzz” Bowling, a programmer and bug bounty hunter, the vulnerability was privately disclosed through the HackerOne bug bounty platform on March 23.

Bowling said that GitLab’s UploadsRewriter function, used to copy files, was the source of the critical security issue. 

Read more…