Does GitLab support open source developers?

Community
,
1

Hi, apologies for posting here. I could not find any other contact point for my issue. Your HackerOne profile says to email security@gitlab.com for stuff like this, but after sending an email there, I got an auto-response bounce back asking me to create a support ticket. My concern is not something for support to handle.

Recently someone reached out to me on Twitter noting a security vulnerability in Commonmarker, a Ruby gem used to convert commonmark/markdown to HTML, which I maintain. He says he communicated with several individuals at GitLab to work on a fix. This fix was apparently released in GitLab 15.3.2, 15.2.4 and 15.1.6 CE/EE.

I have two questions about this:

  1. Does GitLab have a private fork of this widely used gem? If so, could you be good open source stewards and upstream patches to security issues like this? I am surprised (and disappointed) that no one from your team attempted to contact me about this issue.

  2. Can you sponsor me, and the continued maintenance of this gem? Open source is free, but unfortunately the rest of the world is not.

If GitLab relies on my open source project for its operations, I think there is a moral obligation for your company to support me, either financially or with patches. You are of course under no legal obligation to do so! It just seems strange to me, given your company’s open source ethos, to take without giving. If this were just a single security related issue that would be bad enough; but you also use my html-proofer and html-pipeline gems, and now I’m concerned that there are potentially several security issues you are not divulging.

Thank you for your attention on this matter.

2

Hey @gjtorikian,

Welcome to the GitLab forum and thank you for sharing your concerns :slight_smile:
I shared your post with AppSec team and we reviewed the situation.

  1. In regards to the security vulnerability:

We received a report about a vulnerability in our markdown processing code on HackerOne and assume the person who reached out to you is the person who reported that vulnerability. In our analysis, we identified the source of the issue to be in another gem that wraps Commonmarker and we reached out to the maintainers of that gem to work on a fix with them.

We always work with upstream maintainers of our dependencies and frequently contribute patches ourselves. We have no forks of Commonmarker, and please be assured that we will contact you if we identify a vulnerability in Commonmarker or any other packages you maintain.

  1. In regards to open source sponsorship:

At GitLab, we are passionate about open source projects and our GitLab for Open Source Program supports qualifying open source maintainers and teams. If you’re interested in the program or have questions, our Senior Open Source Program Manager, @bbehr would be happy to speak with you.

Our team also updated the HackerOne profile to direct users to open an issue for suggestions. Thanks for your feedback! Let me know if you have any other questions.

1 Like
3

Great, thanks.

1 Like