Public group projects made private were still searchable via an API.
A bug bounty researcher has been awarded $3000 for disclosing a security issue in GitLab leading to the exposure of private groups. The report was made public on the HackerOne bug bounty platform on October 6. Submitted by researcher Riccardo “rpadovani” Padovani on November 29,2019, the GitLab issue is described as a failure to remove code from Elasticsearch API search results when transferring a public group to a private group. Padovani said the medium-severity issue occurs when a project handler shifts a public group — with public projects — to private status.
