Transparency by Default


In alignment with our company value of Transparency, one focus of the security organization is to lead the most transparent security organization in business today. Transparency by default requires us to challenge the status quo where security teams traditionally operate in a very private and closed-off manner. However, being open by default requires us to be even more diligent in our efforts of categorizing data in order to ensure the protection of our customers, company, and team member data. Therefore, our position is that all information and activities produced by the security team should be considered “Public by Default” unless defined below:

Open to GitLab, Partners, Customers

This information is only externally available to GitLab Partners or Customers as widespread availability of this data can be damaging to GitLab or risk the security or privacy of GitLab, GitLab customers or GitLab partners.

  • Control status
  • 3rd party audit reports
  • RFP database responses
  • 3rd party penetration test report summaries
  • Aggregate vulnerability metrics (by severity only)
  • Security Team Roadmap

Open to GitLab

This information is open to GitLab but not publicly (handbook) available because of information that can risk the confidentiality, security or privacy of internal company information. The public availability of this information could pose a significant risk to GitLab or it’s customers.

  • Vendor Audit Reports
  • Procedures/Runbooks/work instructions containing sesnsitive or personal data
  • Customer questionnaires
  • Detailed control test results to include observations and remediation plans
  • Gap analysis reports
  • Project management documentation containing sesnsitive or personal data
  • Security metrics
  • Security KPIs
  • Security OKRs
  • Unmitigated vulnerabilities
  • HackerOne vulnerability submissions post internal triage
  • 3rd party penetration test full detail reports
  • Information about security incidents or investigations handled by SIRT that are not considered high-severity or sensitive
  • Red Team operation reports.
  • Vulnerabilities patched or resolved more than 30 days ago
  • Concluded security incidents that do not contain Materially Non-Public Information

Restricted: Security Only or other restrictions imposed

This information is restricted due to confidential data or privacy concerns related to company, customer or individual data that would be significantly damaging if disclosed or otherwise restricted by law or by legal contract.

  • Customer contracts / Open to Security Only (and Legal, Sales)
    • Due to confidential customer data
  • Open/closed security customer support tickets / Open to (Security, Support)
    • Due to customer, individual privacy requirements
  • Audit Evidence
    • Due to the sensitive nature of the data being provided which can include personal data, system data and current risks including open vulnerabilities
  • Legal Holds
  • Work communication (emails, Slack) related to specific topics or team members
  • Risk Register
  • HackerOne vulnerability submissions prior to internal triage
  • Critical preventative or detective security control configurations
  • Baseline security configurations
  • Vulnerabilities that are unique to the FedRAMP production environment
  • Information related to abusive activity and follow-up activity taken by the Trust & Safety team
    • Due to customer, individual privacy requirements
    • Due to the necessity to keep our anti-abuse processes unknown to abusive actors
  • Information about security incidents or investigations that have not yet been marked as closed/resolved by the SIRT
    • Due to the sensitive nature of security incidents and the information involved (unpatched vulnerabilities, compromised credentials)
Last modified September 27, 2023: Make Red Team reports available internally (81cb4874)