Security Department Gearing Ratios
Bug bounties
The gearing ratio for bug bounty expenditure is as follows:
- The cost of a compromise is estimated at 1% of company worth
- Bug Bounty budget is determined as 10% of a compromise
- Bug Bounty top reward is determined as 1% of budget
An illustration: GitLab is worth 3.5 billion and a significant compromise can cost GitLab $35 million. 10% ratio = $3.5 million budget. Likewise, 1% of budget = $35,000 top reward
Approximate monthly budget should be set at total budget divided by 12. It should be understood that our bug bounty payouts are largely unpredictable and fluctuate based on the following:
- Number and severity of bugs produced by GitLab and pushed to production
- Participation of research community
- Reward ranges
This gearing ratio is owned by the Product Security Sub-department. The cost of a compromise should be re-evaluated at least annually based on the average market cap of GTLB over the previous 6 months.
Security Incident Response Team (SIRT) size
SIRT is the sole carrier of the Security On-Call (SEOC) rotation, which ensures that there’s a page-able Security Engineer 24/7/365. The baseline and gearing ratio for the size of the SIRT have been agreed on as outlined below:
-
Baseline:
- 12 team members to cover 3 timezone in a 8 hour, follow-the-sun rotation:
- 4 team members in JAPAC
- 4 team members in EMEA
- 4 team members in AMER
- 12 team members to cover 3 timezone in a 8 hour, follow-the-sun rotation:
-
Gearing ratio that triggers a review of team size:
- If number of pages to SEOC per month exceeds +50% of monthly average of the last 12 months for 3 consecutive months
- If number of pages to SEOC per year exceeds +100% of previous year
- If number of total team members increases by +20% compared to previous year
This gearing ratio is owned by the Security Operations Sub-department.
Security Compliance Team Staffing
The weighted gearing ratio for Security Compliance team size accounts for certification complexity:
Certification Complexity Weighting:
- High Complexity (2.0 FTE): FedRAMP, DoD
- Medium Complexity (1.0 FTE): ISO standards, PCI DSS, ISMAP, IRAP, CMMC
- Standard Complexity (0.5 FTE): SOC 2, TISAX, Cyber Essentials
Formula: Required FTE = Σ(Active Certifications × Complexity Weight) + 1 Core Operations Staff
This ratio should be re-evaluated when:
- Adding certifications that introduce new geographic or regulatory domains
- Certification requirements significantly change
- Automation capabilities reduce manual effort by >30%
This gearing ratio is owned by the Security Compliance team and should be re-evaluated annually during budget planning.
Security Compliance External Audit Budget
Annual audit budget is tiered based on certification complexity and requirements:
Budget Tiers:
- Tier 1 ($200-300K): FedRAMP, DoD, ISMAP
- Tier 2 ($100-150K): ISO 27001, IRAP, CMMC
- Tier 3 ($50-75K): SOC 2, PCI SAQ, TISAX, ISO, Cyber Essentials
Budget should include 10% contingency for scope changes and remediation validation audits.
This gearing ratio is owned by the Security Compliance team and should be re-evaluated annually during budget planning.
f5086c41
)