submit bug report:https://about.gitlab.com/security/disclosure/
Disclosure Guidelines for Vulnerabilities in 3rd Party Software
When a security vulnerability in some 3rd party product is discovered by GitLab team members the following disclosure guideline should apply:
The first priority is our users.
Therefore for any vulnerability discovered in a dependency of GitLab we'll make sure our users are not affected.
For the following disclosure process our priority is to get the reported vulnerability fixed.
If the 3rd party acknowledges the vulnerability and is working on a patch, we will keep vulnerability details confidential until the issue is fixed.
If possible, we will verify the fix before it is being published.
In special cases we might release details without a fix to make the public aware. This might, for instance, be the case when a vulnerability is being actively exploited.
We aim for a fix within a 90 days deadline.
We will treat this as a soft deadline and help to meet the deadline when reporting.
We will try to coordinate with the affected 3rd party to have a patch released before we release an advisory.
Resulting advisories will be published in the disclosures repository.
