Public group projects made private were still searchable via an API.
A bug bounty researcher has been awarded $3000 for disclosing a security issue in GitLab leading to the exposure of private groups. The report was made public on the HackerOne bug bounty platform on October 6. Submitted by researcher Riccardo « rpadovani » Padovani on November 29,2019, the GitLab issue is described as a failure to remove code from Elasticsearch API search results when transferring a public group to a private group. Padovani said the medium-severity issue occurs when a project handler shifts a public group — with public projects — to private status.
