Keeping a secure development environment is my daily focus here at GitLab. My team and I are committed to hunting for vulnerabilities and mitigating them before they impact others. I feel equally enthusiastic about helping the development community identify potential risk. So when I had the opportunity to join an open-source security audit of Git, funded by the Open Source Technology Improvement Fund (OSTIF), I jumped at it. Little did I know it would lead to the discovery of CVE-2022-41903.
The Git security audit was run by X41 D-Sec on behalf of OSTIF. Due to prior experiences in finding vulnerabilities in Git, I was very keen on joining the audit. When Markus at X41 suggested a collaboration to the OSTIF they were very open to it, so all I had to do was convince my manager to spend some time on this audit.
This wasn't a problem at all. The to-be-done work fits nicely into our Security Research Team's Ecosystem Security Testing efforts. So we decided to donate a good chunk of my working hours towards the audit.