A critical GitLab vulnerability, which could be leveraged by a remote attacker to execute code, recently netted a researcher a $20,000 bug-bounty award. The flaw was reported to GitLab by software developer William Bowling via the HackerOne bug bounty platform on March 23. It was then disclosed this week after being patched in GitLab version 12.9.1.1. The issue is a path-traversal flaw in the UploadsRewriter function of GitLab, which is used to duplicate files.
Source: https://threatpost.com/critical-gitlab-flaw-bounty-20k/155295/