Last year we signed the Secure by Design pledge - here's our progress

GitLab signed the Secure by Design Pledge, a directive to embed security into products from the outset of development, and has made significant progress in improving its security posture. To meet the security goals, GitLab has made additions and improvements across the development lifecycle. One of the goals was to increase the use of multi-factor authentication, and GitLab is rolling out MFA by Default in phases to ensure a smooth adoption. Another goal was to reduce default passwords, and GitLab uses randomly generated root passwords and deletes password files after 24 hours to harden instances. GitLab has also published secure coding guidelines to reduce vulnerabilities and continues to improve its SAST rule coverage. The company has also demonstrated actions to increase the installation of security patches by customers and provides comprehensive guidance on upgrading self-managed instances. GitLab has published a vulnerability disclosure policy and maintains a strong bug bounty program. The company has also demonstrated transparency in vulnerability reporting and has published an incident response guide to help customers respond to incidents. GitLab's security enhancements have strengthened its platform and given customers a more reliable and secure foundation to build on.