[rtev]

The reason you see so many critical Gitlab security fixes is because they take security so seriously.

They pay huge bounties for security vulnerabilities in their products, so they get the best researchers responsibly disclosing bugs.

[skc]

This sounds like bias. Replace "Gitlab" with "Microsoft" or "Oracle" in your comment and I'd wager you'd feel differently.

[rtev]

I don’t think it is.

Microsoft has a track record for delaying fixes and marking important issues as “not a bug”, so I’m less impressed with their security.

As terrible a corporation as Oracle is, their security response team has been one of the most effective and fast-paced I’ve ever reported to. With that said, they pay nothing to researchers, so Gitlab certainly shows they care more about security.

[glintik]

Nice hypothesis, but far away from the reality

[mattl]

GitLab also releases very frequently, minimum once a month with a whole new release. Between releases usually two or three updates but occasionally more.