Security Policy
Last updated: 2026-07-03
Found a security vulnerability? Here's how to report it, what's in scope, and what to expect from the process.
Reporting a vulnerability
Send a report to hivesec [at] europe.com — a dedicated address used only for security reports. Include:
- A description of the issue and its potential impact
- Steps to reproduce, or a proof of concept
- The URL(s) or component(s) affected
This site also publishes a security.txt file (RFC 9116) at the standard location for automated discovery.
For sensitive reports, encrypt your message with our PGP public key. Verify the fingerprint before trusting it:
CE5F 9FFD 6814 183E 5608 D3A9 AC30 F990 4C61 85B4 Scope
In scope:
- The
hivesecurity.gitlab.iowebsite itself (site code, content pipeline) - Accidentally exposed secrets — API keys, credentials, sensitive files in git history
- Cross-site scripting (XSS) or injection in any input on the site
- Subdomain takeover, misconfigured security headers, mixed content
- Vulnerable dependencies in the build pipeline that ship in the final site
Out of scope
The following are not considered valid reports:
- Vulnerabilities in GitLab Pages or GitLab's own infrastructure (report those to GitLab directly)
- Denial of service, rate-limit testing, or automated mass scanning
- Social engineering attempts against the site operator or visitors
- Missing security headers or best-practice suggestions without a demonstrated, concrete impact
- Physical access attacks
Response timeline
We aim to acknowledge valid reports within 24–48 hours. There is no fixed resolution deadline — this site is maintained by one person — but fixes are prioritized by severity, with critical issues addressed first.
Safe harbor
Security research conducted in good faith, within the scope above, and without accessing, modifying, or destroying data beyond what's needed to demonstrate the issue, will not result in legal action from us. Please give us a reasonable chance to fix the issue before any public disclosure.
Changes to this policy
This policy may be updated occasionally. The date at the top of this page reflects the most recent revision.