Identify yourself as a security researcher
4/3/2023, 12:08:52 PM (over 1 year ago)

Hi all

We've made an update to the Rules of Engagement for all our programs with regards to identifying yourself to us.

We were already requiring the use of your @intigriti.be email address while testing e.g. subscription flows.
But since this covers only a small section of what you could be testing on our domains, we've added the requirement of using the X-Intigriti-Username: {Username} request header.

This will allows us to better differentiate your traffic from the Internet Background Radiation.
Not only that. Should you be blocked by one of our security tools, we can investigate what triggered the block.
As long as you did not breach any the Rules of Engagement or Code of Conduct, we can then unblock you.

Happy hacking!
~ the IT Security team of DPG Media

JEZ! temporarily out-of-scope
2/27/2023, 9:36:04 AM (almost 2 years ago)

Hi all

We're temporarily moving the website of the JEZ! action (*.jezofficial.be) out-of-scope while we're doing some internal security reviews and updates.
Rest assured that this measure is only temporary and we'll add it to our scope as soon as possible!

In the meantime, feel free to have a look at any of our other brands ;)

Happy hacking!
~ the IT Security team of DPG Media

Clarification on submitting reports on 0-days
12/16/2021, 2:25:34 PM (about 3 years ago)

Hi all

We wanted to let you know that we've updated our program's policy to better reflect our position on 0-day reports.

Our previous policy contained the following in the Out of scope section:

Recently disclosed zero-day vulnerabilities in commercial products where no patch or a recent patch (< 2 weeks) is available.
We need time to patch our systems just like everyone else - please give us 2 weeks before reporting these types of issues.

Which meant that any submission for recent 0-days (or 1-days for which a patch was only recently published) were de facto considered out-of-scope.

What's changed?

We've removed the above-mentioned statement from the Out of scope section and have clarified our position on 0-day reporting in the Severity assessment section.

Cool-down period for zero-days
Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty.
We may however decide to offer a bonus at our own discretion!

Depending on the type of vulnerability, the availability of patches, and our organisation's coverage of patching, we may still decide to grant you a bonus.

For example, we may have missed an application while patching our systems, and because of your submissions we've identified this gap and were able to fix it.
In such a situation, we may decide to grant you a bonus as a token of our appreciation.

This policy change should make it clearer for you and fellow security researchers that we do appreciate your efforts in helping us identify impacted systems.

Happy hacking!
~ the IT Security team of DPG Media